You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts.
This generates a vulnerability report for the package dependencies my project uses.
When the audit command is executed, it reports several warnings about lodash referenced by adjust-sourcemap-loader package.
The issue is mainly about adjust-sourcemap-loader using older/vulnerable version of lodash packages.
My question is if adjust-sourcemap-loader could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated.
Here is the output of auditjs:
------------------------------------------------------------
[769/1242] lodash.assign 4.2.0 [VULNERABLE] 2 known vulnerabilities affecting installed version
[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /resolve-url-loader/adjust-sourcemap-loader/lodash.assign
CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.
ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /resolve-url-loader/adjust-sourcemap-loader/lodash.assign
------------------------------------------------------------
[873/1242] lodash.defaults 4.2.0 [VULNERABLE] 2 known vulnerabilities affecting installed version
[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /resolve-url-loader/adjust-sourcemap-loader/lodash.defaults
CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.
ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /resolve-url-loader/adjust-sourcemap-loader/lodash.defaults
------------------------------------------------------------
The text was updated successfully, but these errors were encountered:
Hello,
I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts.
This generates a vulnerability report for the package dependencies my project uses.
When the audit command is executed, it reports several warnings about lodash referenced by adjust-sourcemap-loader package.
The issue is mainly about adjust-sourcemap-loader using older/vulnerable version of lodash packages.
My question is if adjust-sourcemap-loader could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated.
Here is the output of auditjs:
The text was updated successfully, but these errors were encountered: