Vulnerablity Issue on Flat 5.0.2

[CookieMonster70]

Hi,
Our Security Department informed us, That component flat 5.0.2 we use, has a vulnerability Issue. I got asked if there are any plans, when the package "flat 5.0.2" will be fixed. As far as I know there is a fix, but it hasn't been merged till now. Are there any plans when a new fixed version of "flat 5.0.2" will be released?
#635

Regards Daniele

Message:
The flat package is vulnerable to Prototype Pollution. The unflatten() function in the index.js file allows objects to modify prototype properties via certain accessors such as prototype. A remote attacker can exploit this vulnerability to modify the behavior of object prototypes which, depending on their use in the application, may result in a Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected behavior.

Note: This vulnerability exists due to an incomplete fix for sonatype-2020-0690.

[zidingz]

Hello @CookieMonster70 - thanks for getting in touch!

After looking into your request regarding [email protected], it appears that we previously mediated a conversation with the maintainer and they confirmed that this vulnerability does not exist in the package. Feel free to take a look at the PR which was subsequently closed (hughsk/flat#113).

@hughsk - am I correct in this assessment, surrounding #635?

Let me know if you have any more questions @CookieMonster70 - cheers! 🍉