Forums

Dear Wendy,

Thank you for raising our attention to this point.

The assign-deep package is upgraded to 1.0.1, but the myscript package (containing myScriptJS)  that comes as a dependancy of the myscript-math-web library still relies on the 4.0.7 version. This is probably the reason why you still have this message.

If you are starting a new Web project, we recommand you to use myScriptJS that is the core of the MyScript browser technology and will allow you higher integration flexibility rather than the myscript-math-web.

Tis assign-deep vulneraibility is a concern in case a Javascript payload is sent  to the BackEnd in Javascript, which is not the case of our BackEnd server (that is in Java).

Nevertheless, the version of assign-deep is already UpToDate in the  next MyScriptJS release that should be available in a few weeks.

 In the meantime you might want to take the MyScriptJS version that is available in this branch to get the UpToDate version of assign-deep. This fix is provided as is, without qualification.

Best regards,

Gwenaëlle

Dear Wendy,

currently, you can use the current release of the MyScriptJS:

-As said by Gwenaëlle, our BackEnd server in in JAVA, so the assign-deep vulnerability is not a concern

-The coming release of the MyScriptJS will be compatible with the current one, so upgrade will be pretty straight-forward.

Best regards,

Olivier