I received a Dependabot security alert for a repo that's using browser-sync 3.0.4 concerning Immutable being vulnerable to Prototype Pollution:
Dependabot cannot update immutable to a non-vulnerable version
The latest possible version that can be installed is 3.8.2 because of the following conflicting dependencies:
browser-sync@3.0.4 requires immutable@^3
browser-sync@3.0.4 requires immutable@^3 via browser-sync-ui@3.0.4
No patched version available for immutable
The earliest fixed version is 4.3.8.
Transitive dependency immutable 3.8.2 is introduced via
browser-sync 3.0.4 -> immutable 3.8.2
Is there a plan for a browser-sync update to handle this?
I received a Dependabot security alert for a repo that's using browser-sync 3.0.4 concerning Immutable being vulnerable to Prototype Pollution:
Transitive dependency immutable 3.8.2 is introduced via
browser-sync 3.0.4 -> immutable 3.8.2
Is there a plan for a browser-sync update to handle this?