Thank you for raising our attention to this point.
The assign-deep package is upgraded to 1.0.1, but the myscript package (containing myScriptJS) that comes as a dependancy of the myscript-math-web library still relies on the 4.0.7 version. This is probably the reason why you still have this message.
If you are starting a new Web project, we recommand you to use myScriptJS that is the core of the MyScript browser technology and will allow you higher integration flexibility rather than the myscript-math-web.
Tis assign-deep vulneraibility is a concern in case a Javascript payload is sent to the BackEnd in Javascript, which is not the case of our BackEnd server (that is in Java).
Nevertheless, the version of assign-deep is already UpToDate in the next MyScriptJS release that should be available in a few weeks.
In the meantime you might want to take the MyScriptJS version that is available in this branch to get the UpToDate version of assign-deep. This fix is provided as is, without qualification.
Best regards,
Gwenaëlle
w
wendy.arrows@gmail.com
said
11 months ago
Dear Gwenaëlle,
Thank you very much for your reply.
I have uninstalled the myscript-math-web, and I tried installing the main MyScriptJS as you suggested in the link.
npm install myscript
I still get the same assign-deep vulnerability warning - did you mean that the version with the update still hasn't been released for the main library as well? Can I still use this library despite being given the warning, or should I wait until the up to date version is uploaded?
Best regards,
Wendy
O
Olivier @MyScript
said
11 months ago
Answer
Dear Wendy,
currently, you can use the current release of the MyScriptJS:
-As said by Gwenaëlle, our BackEnd server in in JAVA, so the assign-deep vulnerability is not a concern
-The coming release of the MyScriptJS will be compatible with the current one, so upgrade will be pretty straight-forward.
wendy.arrows@gmail.com
Hi there, I am trying to install the myscript-math-web library, but I keep getting a high severity vulnerability.
The assign-deep package is upgraded to 1.0.1 so that is not the problem.
Has anyone had this before?
Thanks
Dear Wendy,
currently, you can use the current release of the MyScriptJS:
-As said by Gwenaëlle, our BackEnd server in in JAVA, so the assign-deep vulnerability is not a concern
-The coming release of the MyScriptJS will be compatible with the current one, so upgrade will be pretty straight-forward.
Best regards,
Olivier
- Oldest First
- Popular
- Newest First
Sorted by Oldest FirstGwenaelle @MyScript
Dear Wendy,
Thank you for raising our attention to this point.
The assign-deep package is upgraded to 1.0.1, but the myscript package (containing myScriptJS) that comes as a dependancy of the myscript-math-web library still relies on the 4.0.7 version. This is probably the reason why you still have this message.
If you are starting a new Web project, we recommand you to use myScriptJS that is the core of the MyScript browser technology and will allow you higher integration flexibility rather than the myscript-math-web.
Tis assign-deep vulneraibility is a concern in case a Javascript payload is sent to the BackEnd in Javascript, which is not the case of our BackEnd server (that is in Java).
Nevertheless, the version of assign-deep is already UpToDate in the next MyScriptJS release that should be available in a few weeks.
In the meantime you might want to take the MyScriptJS version that is available in this branch to get the UpToDate version of assign-deep. This fix is provided as is, without qualification.
Best regards,
Gwenaëlle
wendy.arrows@gmail.com
Dear Gwenaëlle,
Thank you very much for your reply.
I have uninstalled the myscript-math-web, and I tried installing the main MyScriptJS as you suggested in the link.
I still get the same assign-deep vulnerability warning - did you mean that the version with the update still hasn't been released for the main library as well? Can I still use this library despite being given the warning, or should I wait until the up to date version is uploaded?
Best regards,
Wendy
Olivier @MyScript
Dear Wendy,
currently, you can use the current release of the MyScriptJS:
-As said by Gwenaëlle, our BackEnd server in in JAVA, so the assign-deep vulnerability is not a concern
-The coming release of the MyScriptJS will be compatible with the current one, so upgrade will be pretty straight-forward.
Best regards,
Olivier