NodeJS/y18n/4.0.0


the bare-bones internationalization library used by yargs

https://www.npmjs.com/package/y18n
ISC

1 Security Vulnerabilities

Prototype Pollution in y18n

Published date: 2021-03-29T16:05:12Z
CVE: CVE-2020-7774
Links:

Overview

The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution.

POC

const y18n = require('y18n')();

y18n.setLocale('__proto__');
y18n.updateLocale({polluted: true});

console.log(polluted); // true

Recommendation

Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later.

Affected versions: ["5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "4.0.0", "1.0.0", "1.1.0", "2.0.0", "3.0.0", "3.1.0", "3.2.0", "3.2.1"]
Secure versions: [6.0.0-alpha.0, 5.0.5, 4.0.1, 3.2.2, 5.0.6, 4.0.2, 5.0.7, 4.0.3, 5.0.8]
Recommendation: Update to version 5.0.8.

22 Other Versions

Version License Security Released
6.0.0-alpha.0 ISC 2020-09-12 - 00:20 about 2 years
5.0.8 ISC 2021-04-07 - 18:57 over 1 year
5.0.7 ISC 2021-04-07 - 01:46 over 1 year
5.0.6 ISC 2021-04-05 - 01:26 over 1 year
5.0.5 ISC 2020-10-25 - 15:18 almost 2 years
5.0.4 ISC 1 2020-10-16 - 15:44 almost 2 years
5.0.3 ISC 1 2020-10-16 - 01:52 almost 2 years
5.0.2 ISC 1 2020-10-01 - 18:23 about 2 years
5.0.1 ISC 1 2020-09-05 - 23:57 about 2 years
5.0.0 ISC 1 2020-09-05 - 02:35 about 2 years
4.0.3 ISC 2021-04-07 - 18:05 over 1 year
4.0.2 ISC 2021-04-07 - 01:45 over 1 year
4.0.1 ISC 2020-11-30 - 23:43 almost 2 years
4.0.0 ISC 1 2017-10-10 - 19:03 almost 5 years
3.2.2 ISC 2021-01-04 - 22:47 over 1 year
3.2.1 ISC 1 2016-03-17 - 05:04 over 6 years
3.2.0 ISC 1 2015-09-21 - 20:58 about 7 years
3.1.0 ISC 1 2015-08-18 - 22:01 about 7 years
3.0.0 ISC 1 2015-07-29 - 07:35 about 7 years
2.0.0 ISC 1 2015-07-28 - 05:07 about 7 years
1.1.0 ISC 1 2015-07-28 - 04:15 about 7 years
1.0.0 ISC 1 2015-07-27 - 07:19 about 7 years