General questions

Answered

Prototype Pollution

Hi there, I am trying to install the myscript-math-web library, but I keep getting a high severity vulnerability.

image

The assign-deep package is upgraded to 1.0.1 so that is not the problem.

Has anyone had this before?


Thanks


Best Answer

Dear Wendy,


currently, you can use the current release of the MyScriptJS:

-As said by Gwenaëlle, our BackEnd server in in JAVA, so the assign-deep vulnerability is not a concern

-The coming release of the MyScriptJS will be compatible with the current one, so upgrade will be pretty straight-forward.


Best regards,


Olivier


Dear Wendy,


Thank you for raising our attention to this point.


The assign-deep package is upgraded to 1.0.1, but the myscript package (containing myScriptJS)  that comes as a dependancy of the myscript-math-web library still relies on the 4.0.7 version. This is probably the reason why you still have this message.


If you are starting a new Web project, we recommand you to use myScriptJS that is the core of the MyScript browser technology and will allow you higher integration flexibility rather than the myscript-math-web.


Tis assign-deep vulneraibility is a concern in case a Javascript payload is sent  to the BackEnd in Javascript, which is not the case of our BackEnd server (that is in Java).

Nevertheless, the version of assign-deep is already UpToDate in the  next MyScriptJS release that should be available in a few weeks.


 In the meantime you might want to take the MyScriptJS version that is available in this branch to get the UpToDate version of assign-deep. This fix is provided as is, without qualification.


Best regards,


Gwenaëlle

Dear Gwenaëlle,

Thank you very much for your reply. 

I have uninstalled the myscript-math-web, and I tried installing the main MyScriptJS as you suggested in the link.

npm install myscript

I still get the same assign-deep vulnerability warning - did you mean that the version with the update still hasn't been released for the main library as well? Can I still use this library despite being given the warning, or should I wait until the up to date version is uploaded?

Best regards,

Wendy

Answer

Dear Wendy,


currently, you can use the current release of the MyScriptJS:

-As said by Gwenaëlle, our BackEnd server in in JAVA, so the assign-deep vulnerability is not a concern

-The coming release of the MyScriptJS will be compatible with the current one, so upgrade will be pretty straight-forward.


Best regards,


Olivier