New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Snyk: Med] Prototype Pollution (Due 07/05/2020) #4337
Comments
The latest version of lodash pkg still do not have the patch/remediation for |
Patch yet to be release for |
@pkfec looking through the repo, things are going to be complicated.
|
Should we mark this as a dupe of #3740 ? |
It looks like a fix was made but a release still needs to be pushed: https://github.com/lodash/lodash/issues/4837 |
Notified security team that this issue is BLOCKED until the LODASH package is fixed in a later version. |
Looks like a fix is ready: https://github.com/lodash/lodash/issues/4837#issuecomment-655648024 |
Lodash v4.17.19 is released just 13 hours ago. I am going to upgrade to this new version and test the openFEC repo. And a PR will be soon ready for review. |
It seems @lbeaufort audited the npm pkg yesterday and upgraded lodash package already to 4.17.17 on openFEC/develop. I ran the CLI command No code changes are needed. Closing this issue. |
Summary
Medium severity vulnerability found
Description: Prototype Pollution
Info: https://app.snyk.io/vuln/SNYK-JS-LODASH-567746
Prototype Pollution is a vulnerability affecting JavaScript.
Remediation: There is no fixed version for lodash.
Completion criteria:
Consider/document alternatives or workaround to solve this security issue and do that thingThe text was updated successfully, but these errors were encountered: