Skip to content

thenify before 3.3.1 made use of unsafe calls to `eval`.

Created by: gitstart-sourcegraph

Problem statement

Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.

Success criteria

Update thenify to a non-vulnerable version

Implementation details

The latest possible version of thenify that can be installed is 3.3.0. The earliest fixed version is 3.3.1.

  • Affected versions < 3.3.1

Ref

#35989 Link to dependabot alert

Time estimate

  • Pull requests with frontend lines changed should take 3 hours at maximum. Ping the reviewer in the spec pull request if time-consuming changes are required.
  • Split the work into multiple pull requests if the total diff is bigger than 450 lines of code.