merge@1.2.1 is vulnerable to prototype pollution via _recursiveMerge
According to npm audit, one of Twing's dependencies, merge@1.2.1, is vulnerable to prototype pollution via _recursiveMerge:
# Run npm install merge@2.1.1 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ merge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ merge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ merge │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1666 │
└───────────────┴──────────────────────────────────────────────────────────────┘I had a go at updating merge on a local copy of Twing and after updating package.json, I've managed to successfully build Twing and all tests pass without any further modifications.
I'm happy to provide a pull request, although unless I've missed something all it'll involve is updating package.json.
Edited by Damien Dart