Skip to content

Commit b45328c

Browse files
nscuronscuro
committed
Bump merge to 2.1.1
Fixes: * https://security.snyk.io/vuln/SNYK-JS-MERGE-1040469 * https://security.snyk.io/vuln/SNYK-JS-MERGE-1042987 `vue-bootstrap-toggle` only uses a single function of `merge`. That function still exists in v2 of `merge`, so this version bump is not a breaking change. See https://github.com/rhyek/vue-bootstrap-toggle/blob/16cf66e4346119ea5b72ec2abeafe524b55bbaee/src/index.vue#L51 Further, the vulnerabilities (both prototype pollutions) are not exploitable, as neither of the arguments passed to `merge.recursive` are user-controllable. Still performing the update to make scanners happy. Signed-off-by: nscuro <[email protected]>
1 parent 50db524 commit b45328c

File tree

2 files changed

+8
-3
lines changed

2 files changed

+8
-3
lines changed

package-lock.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,11 @@
6767
"uuid": "7.0.3",
6868
"vue-template-compiler": "2.6.14"
6969
},
70+
"overrides": {
71+
"vue-bootstrap-toggle": {
72+
"merge": "2.1.1"
73+
}
74+
},
7075
"browserslist": [
7176
"> 1%",
7277
"last 2 versions",

0 commit comments

Comments
 (0)