set-value as a dependency, which contains a type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
The latest possible version of
set-value that can be installed is
2.0.1 because of the following conflicting dependencies:
email@example.com requires set-value@^2.0.0 via a transitive dependency on firstname.lastname@example.org email@example.com requires set-value@^2.0.1 via a transitive dependency on firstname.lastname@example.org
The earliest fixed version is
4.0.1. Will this be taken care of any time soon?