Fedora has issued an advisory on February 8:
The issue is fixed upstream in 3.0.1.
Mageia 7 is also affected.
Fixed upstream in 3.0.1
This update upgrade nodejs-set-value to version 3.0.2 to fix CVE-2019-10747.
Fixed upstream in 3.0.1 =>
Updated nodejs-set-value package fixes security vulnerability:
A vulnerability was found in NOdejs set-value, where set-value is vulnerable to
Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could
be tricked into adding or modifying properties of Object.prototype using any of
the constructor, prototype and _proto_ payloads (CVE-2019-10747).
MGA7-64 Plasma on Lenovo B50
No installation issues.
No previous updates.
# urpmq --whatrequires-recursive nodejs-set-value
This is java , so OK on clean install as usual
Validating. Advisory in Comment 2.
An update for this issue has been pushed to the Mageia Updates repository.