New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Medium vulnerability | yargs-unparser -> lodash@4.17.15 #4332
Comments
lodash@4.17.15 The function zipObjectDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects. Report: |
@andresvelezperez but nobody fix that . And nobody merge the pr |
It is possible to remove yargs-unparser. I dont Knie, how publish a new yargs-unparser package? |
This will get addressed if/when Lodash merges the PR, I would strongly suggest creating an exception in your CI pipeline to this particular warning. |
@boneskull Yes, I am agree, with you description. But I observe that many vulnaribilities stay unfixed out there. We must reduce unmaintanaced dependencies. |
Sorry? The new PR (#4338) fixed the issue in the common way. I am happy that I could found anyone to publish a new version of |
Prerequisites
faq
labelnode node_modules/.bin/mocha --version
(Local) andmocha --version
(Global). We recommend that you not install Mocha globally.Description
The current mocha version contains a high vulnerability. That is a blocker for our CI/CD pipelines.
Vulnerability in lodash found. Lodash maintainer do nothing since more then 7 month!
Lodash shoud be removed from mocha! Issue ticket opened: yargs/yargs-unparser#54 - we will see if a new npm package will be released.
Topic lodash is dead?!
https://github.com/lodash/lodash/issues/4809
lodash/lodash#4745
... see issue and pr's in github
Steps to Reproduce
Findings: https://snyk.io/test/npm/mocha?tab=issues
Expected behavior: [What you expect to happen]
Actual behavior: [What actually happens]
Reproduces how often: [What percentage of the time does it reproduce?]
Versions
mocha --version
andnode node_modules/.bin/mocha --version
:node --version
:Additional Information
The text was updated successfully, but these errors were encountered: