Forum Discussion
New SPFx project, Prototype Pollution Vulnerability in the set-getter library
I have a new SPFx project, basically empty, and my company requires that the code is scaned for vulnerabilities using veracode.
The only High Finding I could find is this one:
set-getter and set-getter are vulnerable to Prototype Pollution.
set-getter is vulnerable to prototype pollution. An attacker is able to exploit the vulnerability to inject arbitrary properties into existing construct prototypes and modify attributes such as `__proto__`, `constructor` and `prototype`.
I checked and there are no new versions of this, so I have to provide a valid reason to the security team in order to be able to ignore this flaw.
Is there something I can do in a new SPFx project? Can this dependency be removed somehow or will it break something?
- Luis ValenciaCopper ContributorI found the problem myself, maybe for future reference for the readers.
I created an empty project and started to use the modern search webpart dependencies, so I copied the package,json and left the project empty.
the problem is on handlebars, through the dependency chain I could find that very deep handlebars uses this npm package with vulnerabilities.
I created an issue in github for the modern search community team, I wonder if it can be solved.
https://github.com/microsoft-search/pnp-modern-search/issues/1235
Or if we have to explain to our global security team that this is by design or whatever - VesaJuvonenMicrosoftThis vulnerable code is not used in runtime, it's only used in the developer box when solution is scaffolded, so it's not a runtime security issue.
- Praj_123Copper Contributor
Luis Valencia hi may I know how you package spfx project for veracode? I tried diff way but seems it not working.