Version Details and Security Vulnerabilities

📦

convict

6.2.3

Comparision Betweeen 6.2.3 and 6.2.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

40.69 KB

40.62 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

convict

6.2.3

Comparision Betweeen 6.2.3 and 6.2.2

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

40.69 KB

40.62 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 6.2.3 of the package convict.

All Security Vulnerabilities

All the vulnerabilities related to the version 6.2.3 of the package

Summary:

convict vulnerable to Prototype Pollution

Details:

Impact

An attacker can inject attributes that are used in other components
An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.

Patches

The problem is patched in convict@6.2.4. Users should upgrade to convict@6.2.4.

Workarounds

No way for users to fix or remediate the vulnerability without upgrading

References

https://github.com/mozilla/node-convict/issues/410

Details about convict@6.2.3

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 6.2.3 of the package convict.

All Security Vulnerabilities

All the vulnerabilities related to the version 6.2.3 of the package

Summary:

convict vulnerable to Prototype Pollution

Details:

Impact

An attacker can inject attributes that are used in other components
An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.

Patches

The problem is patched in convict@6.2.4. Users should upgrade to convict@6.2.4.

Workarounds

No way for users to fix or remediate the vulnerability without upgrading

References

https://github.com/mozilla/node-convict/issues/410

Details about convict@6.2.3

Version Details and Security Vulnerabilities

convict

Comparision Betweeen 6.2.3 and 6.2.2

Security Vulnerabilities

Version Details and Security Vulnerabilities

convict

Comparision Betweeen 6.2.3 and 6.2.2

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

Version Details and Security Vulnerabilities

convict

Comparision Betweeen 6.2.3 and 6.2.2

Security Vulnerabilities

Version Details and Security Vulnerabilities

convict

Comparision Betweeen 6.2.3 and 6.2.2

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

convict@6.2.3 GHSA-4jrm-c32x-w4jf 7.3

Impact

Patches

Workarounds

References

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

convict@6.2.3 GHSA-4jrm-c32x-w4jf 7.3

Impact

Patches

Workarounds

References