LOW

GHSA-mwv9-gp5h-frr4

Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties

Details

In some circumstances, `devalue.parse` and `devalue.unflatten` could emit objects with `__proto__` own properties. This in and of itself is not a security vulnerability (and is possible with, for example, `JSON.parse` as well), but it can result in prototype injection if _downstream_ code handles it incorrectly:

```ts const result = devalue.parse(/* input creating an object with a __proto__ property */); const target = {}; Object.assign(target, result); // target's prototype is now polluted ```

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / devalue

Introduced in: 4.0.0 Fixed in: 5.6.4

Fix npm install devalue@5.6.4

References

https://github.com/sveltejs/devalue/security/advisories/GHSA-mwv9-gp5h-frr4 [WEB]
https://github.com/sveltejs/devalue/commit/87c1f3ce3759765a061cfe34843ecc4b0711ba8d [WEB]
https://github.com/sveltejs/devalue [PACKAGE]
https://github.com/sveltejs/devalue/releases/tag/v5.6.4 [WEB]