Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lodash bumped to 4.17.11 #12

Closed
wants to merge 1 commit into from
Closed

lodash bumped to 4.17.11 #12

wants to merge 1 commit into from

Conversation

ppitonak
Copy link

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2018-3721

@ppitonak
Copy link
Author

Is this project dead?

@s5b
Copy link

s5b commented Feb 18, 2019

I hope it's not dead. Merging the PR would be good.

@CoreyCole
Copy link

CoreyCole commented Aug 20, 2019
edited
Loading

@roccato @pmowrer please merge this. When we install your package and run npm audit:


                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jasmine-fail-fast [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jasmine-fail-fast > lodash                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jasmine-fail-fast [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jasmine-fail-fast > lodash                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/782                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jasmine-fail-fast [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jasmine-fail-fast > lodash                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1065                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 2 high) in 874214 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

@CoreyCole
Copy link

@ppitonak looks like we will need >=4.17.12

@CoreyCole CoreyCole mentioned this pull request Aug 20, 2019
Closed
pmowrer added a commit that referenced this pull request Feb 1, 2020
@pmowrer
fix: update lodash to secure version
cd8473f 
Closes #20, closes #15, closes #14, closes #12.
@pmowrer pmowrer mentioned this pull request Feb 1, 2020
Merged
@pmowrer pmowrer closed this in 161bfe6 Feb 1, 2020
@pmowrer
Copy link
Owner

pmowrer commented Feb 1, 2020

🎉 This issue has been resolved in version 2.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@ppitonak ppitonak deleted the lodash_upgrade branch February 3, 2020 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ppitonak @s5b @CoreyCole @pmowrer