General questions

Prototype Pollution

Hi there, I am trying to install the myscript-math-web library, but I keep getting a high severity vulnerability.


The assign-deep package is upgraded to 1.0.1 so that is not the problem.

Has anyone had this before?


Dear Wendy,

Thank you for raising our attention to this point.

The assign-deep package is upgraded to 1.0.1, but the myscript package (containing myScriptJS)  that comes as a dependancy of the myscript-math-web library still relies on the 4.0.7 version. This is probably the reason why you still have this message.

If you are starting a new Web project, we recommand you to use myScriptJS that is the core of the MyScript browser technology and will allow you higher integration flexibility rather than the myscript-math-web.

Tis assign-deep vulneraibility is a concern in case a Javascript payload is sent  to the BackEnd in Javascript, which is not the case of our BackEnd server (that is in Java).

Nevertheless, the version of assign-deep is already UpToDate in the  next MyScriptJS release that should be available in a few weeks.

 In the meantime you might want to take the MyScriptJS version that is available in this branch to get the UpToDate version of assign-deep. This fix is provided as is, without qualification.

Best regards,


Dear Gwenaëlle,

Thank you very much for your reply. 

I have uninstalled the myscript-math-web, and I tried installing the main MyScriptJS as you suggested in the link.

npm install myscript

I still get the same assign-deep vulnerability warning - did you mean that the version with the update still hasn't been released for the main library as well? Can I still use this library despite being given the warning, or should I wait until the up to date version is uploaded?

Best regards,


Dear Wendy,

currently, you can use the current release of the MyScriptJS:

-As said by Gwenaëlle, our BackEnd server in in JAVA, so the assign-deep vulnerability is not a concern

-The coming release of the MyScriptJS will be compatible with the current one, so upgrade will be pretty straight-forward.

Best regards,


Login or Signup to post a comment