Thanks for the report. We do not consider ourselves at risk here:
- We’re not using any of the affected functions.
- Prototype pollution, although a real threat, is much harder to exploit on the frontend than it is on the backend. For this to affect us, someone would need to be able to tamper with the payloads received from the SQ backend. Given our architecture, that implies a man-in-the-middle attack, which in the end is out of our scope.
We very much appreciate your report and all reports we receive from users. More eyes is always better. At the same time, we do monitor published CVE’s ourselves, as well as hiring independent security auditors to test our software on a regular basis. We’re careful, though, to not jump too quickly on publishing releases just to update dependencies, because dependency vulnerabilities aren’t always relevant to us and doing so would only generate noise for our users.