Sveltejs devalue's `devalue.parse` and `devalue.unflatten` emit objects with `__proto__` own properties — GHSA-MWV9-GP5H-FRR4

Summary

In some circumstances, `devalue.parse` and `devalue.unflatten` could emit objects with `__proto__` own properties. This in and of itself is not a security vulnerability (and is possible with, for example, `JSON.parse` as well), but it can result in prototype injection if _downstream_ code handles it incorrectly: ```ts const result = devalue.parse(/* input creating an object with a __proto__ property */); const…

Product

npm: devalue

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source

Related advisories