Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit security warnings because of lodash #9

Open
asab-se opened this issue Jun 1, 2018 · 0 comments
Open

npm audit security warnings because of lodash #9

asab-se opened this issue Jun 1, 2018 · 0 comments
Assignees
@harishanchu

Comments

@asab-se
Copy link

asab-se commented Jun 1, 2018
edited
Loading

Hi,

I just installed your package and saw 5 low security vulnerabilities due to lodash version.

>npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         lodash                                                        
                                                                                
  Patched in      >=4.17.5                                                      
                                                                                
  Dependency of   node-session                                                  
                                                                                
  Path            node-session > lodash                                         
                                                                                
  More info       https://nodesecurity.io/advisories/577                        
                                                                                
                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         lodash                                                        
                                                                                
  Patched in      >=4.17.5                                                      
                                                                                
  Dependency of   node-session                                                  
                                                                                
  Path            node-session > waterline > switchback > lodash                
                                                                                
  More info       https://nodesecurity.io/advisories/577                        
                                                                                
                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         lodash                                                        
                                                                                
  Patched in      >=4.17.5                                                      
                                                                                
  Dependency of   node-session                                                  
                                                                                
  Path            node-session > waterline > waterline-schema > lodash          
                                                                                
  More info       https://nodesecurity.io/advisories/577                        
                                                                                
                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         lodash                                                        
                                                                                
  Patched in      >=4.17.5                                                      
                                                                                
  Dependency of   node-session                                                  
                                                                                
  Path            node-session > waterline > lodash                             
                                                                                
  More info       https://nodesecurity.io/advisories/577                        
                                                                                
                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         lodash                                                        
                                                                                
  Patched in      >=4.17.5                                                      
                                                                                
  Dependency of   node-session                                                  
                                                                                
  Path            node-session > waterline > waterline-criteria > lodash        
                                                                                
  More info       https://nodesecurity.io/advisories/577                        
                                                                                
found 5 low severity vulnerabilities in 563 scanned packages

Even though they are low risk, I want to use your package in a productive environment. Would you mind to upgrade your packages to use lodash >= 4.17.5.
If I find time, I can do the upgrade as well, if you like.
@harishanchu harishanchu self-assigned this Sep 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harishanchu harishanchu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@harishanchu @asab-se