Backport prototype pollution fix to `3.x`

[FeBe95]

It would be great to have the fix for the security advisory GHSA-wf6x-7x77-mvgw backported to the 3.x version as well. I couldn’t find a 3.x maintenance branch, so I’m unsure how to prepare a backport myself.

I realize that the latest 3.x release (3.8.2) was published almost 9 years ago. However, a number of widely used packages still depend on it. For example, browser-sync still pulls in immutable@3.8.2. BrowserSync has close to 1 million weekly downloads on npm but does not appear to be actively maintained anymore, so it seems unlikely that it will upgrade to immutable@4 in the near future.

A quick GitHub search shows that more than 19k public repositories still depend on a ^3 version of Immutable.js:

For example:

> npm ls immutable

@org/repo@ C:\repos\...
└─┬ browser-sync@3.0.4
  ├─┬ browser-sync-ui@3.0.4
  │ └── immutable@3.8.2 deduped
  └── immutable@3.8.2

Given the continued indirect usage of immutable@3, a minimal backport of the security fix would help many projects address the advisory without requiring upstream dependencies to migrate to v4.

[aolszowka]

For anyone else following along at home, while it wasn't explicitly mentioned above trying to float (via overrides) the version of immutable used by browser-sync does not work due to the breaking changes introduced in the 3->4 conversion due to the change of mergeDeep/mergeDeepWith.

I'm knee deep in trying to generate a package-patch to work around this, but realistically that work should be posted on the browser-sync project, which as mentioned is unmaintained. If I can work through it I'll get it posted.

I feel for the all these project maintainers, expect the flood incoming soon like we saw with ajv and minimatch. Perhaps a proactive lock of the issue is due with a sticky? OpenClaw is really killing this industry from the inside out with these "vulnerabilities" its reporting, Script Kiddies in Web 3.0 I guess.

[jdeniau]

I am considering this (and in fact I did while fixing 4 and 5 branches). I understand that 19k packages depends on immutable 3.
But the code of v3 has evolved a LOT in v4.
I will try to spend some time on it, but it's not as easy as it was for the 4.x branch.

[FeBe95]

Thanks for the release (https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3)!

I filed a PR to update the GitHub advisory, which also feeds the npm audit registry
github/advisory-database#7126

@jdeniau Could you update the advisory of this repo please?
github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw

[jdeniau]

I updated github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw and approved github/advisory-database#7126

[FeBe95]

FYI, I don't know if it matters much, but the version tags on npm are incorrectly set and do not match the actual version numbers:

[jdeniau]

Yes, I saw that and fixed it (the time to check how to do that !) It doesn't matter much. Julien Deniau Le vendredi 6 mars 2026 à 12:33, Felix Bernhard ***@***.***> a écrit :

…

FeBe95 left a comment [(immutable-js/immutable-js#2178)](#2178 (comment)) FYI, I don't know if it matters much, but the version tags on npm are incorrectly set and do not match the actual version numbers: [grafik.png (view on web)](https://github.com/user-attachments/assets/a3342814-4d6b-4a41-b9c6-8b46f787b670) — Reply to this email directly, [view it on GitHub](#2178 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAKVNRNIXA6YM3OSJPCGV5T4PKZPDAVCNFSM6AAAAACWIOXKIOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAMJRGIYDCMBYGQ). You are receiving this because you modified the open/close state.Message ID: ***@***.***>