You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have Snyk check on my project and it reported an issue with this plugin using Lodash (as a dependency of jsdom).
MEDIUM SEVERITY EXPLOIT: PROOF OF CONCEPT
Prototype Pollution
Vulnerable module: lodash
Introduced through: typedoc-plugin-extras@1.1.4
Exploit maturity: Proof of concept
Reachability: No info
Detailed paths and remediation
Introduced through: pegasys-orchestrate@2.2.0 › typedoc-plugin-extras@1.1.4 › jsdom@16.2.2 › request-promise-native@1.0.8 › request-promise-core@1.1.3 › lodash@4.17.15
Remediation: No remediation path available.
Overview
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.
Affected versions of this package are vulnerable to Prototype Pollution. The function zipObjectDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
The text was updated successfully, but these errors were encountered:
I dropped js-dom dependency (and thus lodash) in the latest patch.
Now, I use String.prototype.replace() to replace in page.contents. So it has exactly the same behavior as before but there is no overkill logic with selectors anymore.
I stopped using the div.container.tsd-generator > p selector. Now, I find the text "Generated using TypeDoc" inside a <p> tag and add just before the end of the tag.
This text can't be changed so I view it as a constant. It can only be suppressed with hideGenerator. In the latter case, date and/or time won't be added (just as before).
I have Snyk check on my project and it reported an issue with this plugin using Lodash (as a dependency of jsdom).
The text was updated successfully, but these errors were encountered: