upgrade 2.0.1 to 4.0.1 to fix the vulnerability.

[BhagyashreeYogeshChaudhari]

This is my tree structure of set-value :

i want to upgrade it to 4.0.1

i tried to update set-value with latest and its parent packages but issue is still not resolved.

[craftyc0der]

https://snyk.io/test/npm/set-value/2.0.1
Ideally, 2.0.1 would be patched with a fix because so many libraries depend on it.

[michaelpinnell]

Wanted to ping this seconding the idea of releasing a patch version of 2.0.1 because I'm also stuck in this loop of higher level dependencies being hard stuck on the old version

[shashi4a6]

Wanted to ping this seconding the idea of releasing a patch version of 2.0.1 because I'm also stuck in this loop of higher level dependencies being hard stuck on the old version

Hi, I am also facing same issue as angular upgrade does not upgrade the set-value package. Does version 2.0.1 is vulnerable? if yes, when can we expect patch for this 2.0.1 version?

[fhljys]

Any update on this?

[jakubjosef]

I also faced this issue and actually it's bit confusing for me. In my company we are using tool called MEND (aka Whitesource) to manage vulnerabilities and this tool is displaying v2.0.1 as vulnerable. On contrary SNYK is displaying 2.0.1 as not vulnerable (see https://security.snyk.io/package/npm/set-value/2.0.1).

If I understand it correctly, library author did some fix to mitigate original problem and released 2.0.1 but it's not enough and issue is finally fixed only in >v4.0.1. The problem is many libraries require set-value@^2.0.0 so we cannot upgrade local version to version 4.

So the only solution is to publish v2.0.2 which mitigates "CVE-2021-23440" completely. @jonschlinkert is it possible to do so?

Thank you.