Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade lodash to version 4.17.13 or later. #11992

Labels
archived due to age This issue has been archived; please open a new issue for any further discussion triage An ESLint team member will look at this issue soon

Comments

@toptalo
Copy link

toptalo commented Jul 15, 2019

CVE-2019-10744 More information
high severity
Vulnerable versions: < 4.17.13
Patched version: 4.17.13
Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

@eslint-deprecated eslint-deprecated bot added the triage An ESLint team member will look at this issue soon label Jul 15, 2019
quetzaluz added a commit to quetzaluz/eslint that referenced this issue Jul 15, 2019
quetzaluz added a commit to quetzaluz/eslint that referenced this issue Jul 15, 2019
quetzaluz added a commit to quetzaluz/eslint that referenced this issue Jul 15, 2019
Issue in lodash filed at lodash/lodash#4348
@toptalo
Copy link
Author

toptalo commented Jul 16, 2019

❤️

@mcandre
Copy link

mcandre commented Jul 18, 2019

ETA for a fresh NPM eslint release version, in order to publish this patch for regular users?

@platinumazure
Copy link
Member

@mcandre We usually release every 2 weeks on Friday or Saturday, with our next release being this week. You can look at issues with the "release" label to follow the next release in general (or see #11955 for this week's release specifically).

@Lonniebiz
Copy link

Lonniebiz commented Jul 29, 2019

Thanks for fixing this! I no longer see these warnings in 6.1.0:

Lodash

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.