Conversation
|
See the r.js equivalent of this PR here, if you want to try the fix in node: |
|
Some notes on this change: I wanted the minimally invasive change, since this code is old, and it has been advertised on working in very old JS versions. So using |
ashfurrow
left a comment
There was a problem hiding this comment.
This is older code and I am honestly not too familiar with it. However, I know a large community of people are looking for this to get fixed and I want to help, so I took a look.
This change makes sense to me. It's minimal enough to not break too many existing codebases but still addresses the prototype pollution vulnerability. I've read through the require.js file to get a sense of what it's doing and why.
Thanks for your work here after this came out of the blue. I appreciate your contributions, past and present.
Hopefully fixes #1854. I'll put up a branch/PR in r.js in a moment so people can try it in node too.