node-dottie - Debian Package Tracker

general

versioned links

2.0.2-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.2-4+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.0.6+~2.0.5-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

action needed

A new upstream version is available: 2.0.7+~2.0.7 high

A new upstream version 2.0.7+~2.0.7 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-03-01 08:31

1 security issue in sid high

1 important issue:

CVE-2026-27837: Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

Created: 2026-02-26 Last update: 2026-03-01 04:31

1 security issue in forky high

1 important issue:

CVE-2026-27837: Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

Created: 2026-02-26 Last update: 2026-03-01 04:31

1 low-priority security issue in trixie low

1 issue left for the package maintainer to handle:

CVE-2026-27837: (needs triaging) Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-02-26 Last update: 2026-03-01 04:31

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-27837: (needs triaging) Dottie provides nested object access and manipulation in JavaScript. Versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit `7d3aee1` only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing `__proto__` at any position other than the first. Both `dottie.set()` and `dottie.transform()` are affected. Version 2.0.7 contains an updated fix to address the residual vulnerability.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-02-26 Last update: 2026-03-01 04:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-12-23 20:00

[2023-11-12] Accepted node-dottie 2.0.2-1+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-07-27] node-dottie 2.0.6+~2.0.5-2 MIGRATED to testing (Debian testing watch)
[2023-07-26] Accepted node-dottie 2.0.2-4+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-07-25] Accepted node-dottie 2.0.6+~2.0.5-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-07-09] Accepted node-dottie 2.0.6+~2.0.5-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-03] node-dottie 2.0.2-4 MIGRATED to testing (Debian testing watch)
[2021-11-01] Accepted node-dottie 2.0.2-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-09-15] Accepted node-dottie 2.0.2-3 (source all) into unstable (Debian Janitor) (signed by: Jelmer Vernooij)
[2021-09-05] node-dottie 2.0.2-2 MIGRATED to testing (Debian testing watch)
[2021-08-29] Accepted node-dottie 2.0.2-2 (source) into unstable (Debian Janitor) (signed by: Jelmer Vernooij)
[2019-12-08] node-dottie 2.0.2-1 MIGRATED to testing (Debian testing watch)
[2019-12-06] Accepted node-dottie 2.0.2-1 (source) into unstable (Andrius Merkys)
[2019-11-13] node-dottie 2.0.1-2 MIGRATED to testing (Debian testing watch)
[2019-11-11] Accepted node-dottie 2.0.1-2 (source) into unstable (Andrius Merkys)
[2019-11-11] Accepted node-dottie 2.0.1-1 (source all) into unstable, unstable (Andrius Merkys)

bugs [bug history graph]

links

ubuntu