Netlify-lambda dependency set-value

dafoobar · October 25, 2021, 1:09pm

Dear support,

netlify-lambda has set-value as a dependency, which contains a type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.

The latest possible version of set-value that can be installed is 2.0.1 because of the following conflicting dependencies:

netlify-lambda@2.0.14 requires set-value@^2.0.0 via a transitive dependency on cache-base@1.0.1
netlify-lambda@2.0.14 requires set-value@^2.0.1 via a transitive dependency on union-value@1.0.1

The earliest fixed version is 4.0.1. Will this be taken care of any time soon?
Cheers, DFB

coelmay · October 25, 2021, 9:58pm

Hi @dafoobar

Looking at the package.json and package-lock.json set-value is not a direct dependency of netlify-lambda but of other packages used by it such as cache-base (which again, is not a direct dependency of netlify-lambda.) You might file as issue so the developers can look into it further, though as it appears (as mentioned) to stem from other packages, there is possibly not a great deal they can do to rectify the issue.

Topic		Replies	Views
Multiple `Set-Cookie` headers cause netlify lambda to throw an error Support lambda-functions , netlify-dev-open-beta	7	4780	October 15, 2020
Issue with Lambda Functions. Help! Support lambda-functions	1	829	May 21, 2020
My lambda function's `package.json` file is causing mystery failures Support building , lambda-functions	4	672	January 4, 2021
Environment variables update Support lambda-functions , netlify-cli , caching	1	234	January 6, 2024
Error with netlify-lambda when upgrading it from 1.6.3 to 2.0.x but only when running within a Netlify deploy Support deployment , lambda-functions	2	468	March 30, 2021

Netlify-lambda dependency set-value

Related topics