Unset-value Vulnerability

[dhivyalaxmi-murugesan]

We have found vulnerability in unset-value, the cache-base library internally uses unset-value, and unset value version below 2.0.1 are vulnarable. is there any plan to fix this issue and release a new version.
Please refer
https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660 @jonschlinkert

[rjerue]

I too am running into this -- scary part is that most folks are on version 1.0.1 of this lib. It doesn't look like the change made to unset value should be breaking unless one was relying on the prototype pollution to break things.

Three options exist in my eyes

Fix in userland
Effort to fix heavily relied on upstream packages. For me this is https://github.com/base/base 0.11.2 -- which exists nowhere in git history.
Publish a semver fix as 1.0.2.

I was able to fix in userland by adding a yarn resolution.

{
   // ...package.json
  "resolutions": {
    "unset-value": "^2.0.1"
  }
}

[benjamindally]

Any chance of getting the PR in that fixes this in @jonschlinkert?