[rush] CVE-2021-42581 (Critical) detected in ramda-0.25.0.tgz

```shell
$ npm install -g @microsoft/rush 
```
The previous command failed because our private npm registry blocked the download of ramda-0.27.2.tgz due to security policies triggered by CVE-2021-42581. Are there plans to upgrade the Ramda dependency to a version that resolves this vulnerability and ensures successful installation?

## Vulnerability Details

Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "proto") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes

Publish Date: 2022-05-10

URL: [CVE-2021-42581](https://www.mend.io/vulnerability-database/CVE-2021-42581)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[rush] CVE-2021-42581 (Critical) detected in ramda-0.25.0.tgz #5621

Vulnerability Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[rush] CVE-2021-42581 (Critical) detected in ramda-0.25.0.tgz #5621

Description

Vulnerability Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions