Home
Support Forums

Netlify-lambda dependency set-value

Dear support,

netlify-lambda has set-value as a dependency, which contains a type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

The latest possible version of set-value that can be installed is 2.0.1 because of the following conflicting dependencies:

netlify-lambda@2.0.14 requires set-value@^2.0.0 via a transitive dependency on cache-base@1.0.1
netlify-lambda@2.0.14 requires set-value@^2.0.1 via a transitive dependency on union-value@1.0.1

The earliest fixed version is 4.0.1. Will this be taken care of any time soon?
Cheers, DFB

Hi @dafoobar

Looking at the package.json and package-lock.json set-value is not a direct dependency of netlify-lambda but of other packages used by it such as cache-base (which again, is not a direct dependency of netlify-lambda.) You might file as issue so the developers can look into it further, though as it appears (as mentioned) to stem from other packages, there is possibly not a great deal they can do to rectify the issue.