You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, @webpro, there are two vulnerabilities introduced in your package release-it:
Issue Description
Vulnerabilities CVE-2020-28500 and CVE-2021-23337 are detected in package lodash<4.17.21 and lodash@4.17.20 is directly referenced by release-it@13.7.1. We noticed that the vulnerabilities has been removed since release-it@14.5.0.
However, release-it's popular previous version release-it@13.7.1 (13,881 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 68 downstream projects, e.g., vue-cli-plugin-vuetify-preset-kidsloop 0.3.0, cc-flow 13.15.0, nxpm 1.18.0, loql-marketplace 1.0.4, @syman/ark-mobile-cli 1.0.5, loql-marketplace@1.0.4, etc.).
As such, issues CVE-2020-28500 and CVE-2021-23337 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade release-it from version 13.7.1 to (>=14.5.0). For instance, release-it@13.7.1 is introduced into the above projects via the following package dependency paths:
(1)loql-marketplace@1.0.4 ➔ @crystallize/node-vipps@0.1.4 ➔ release-it@13.7.1 ➔ lodash@4.17.20 ......
The projects such as @crystallize/node-vipps, which introduced release-it@13.7.1, are not maintained anymore. These unmaintained packages can neither upgrade release-it nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerabilities from package release-it@13.7.1?
Suggested Solution
Since these inactive projects set a version constaint 13.7.* for release-it on the above vulnerable dependency paths, if release-it removes the vulnerabilities from 13.7.1 and releases a new patched version release-it@13.7.2, such a vulnerability patch can be automatically propagated into the 68 affected downstream projects.
In release-it@13.7.2, you can kindly try to perform the following upgrade: lodash 4.17.20 ➔ 4.17.21; Note: lodash@4.17.21(>=4.17.21) has fixed the vulnerabilities (CVE-2020-28500 and CVE-2021-23337)
Thank you for your contributions.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered:
Hi, @webpro, there are two vulnerabilities introduced in your package release-it:
Issue Description
Vulnerabilities CVE-2020-28500 and CVE-2021-23337 are detected in package lodash<4.17.21 and lodash@4.17.20 is directly referenced by release-it@13.7.1. We noticed that the vulnerabilities has been removed since release-it@14.5.0.
However, release-it's popular previous version release-it@13.7.1 (13,881 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 68 downstream projects, e.g., vue-cli-plugin-vuetify-preset-kidsloop 0.3.0, cc-flow 13.15.0, nxpm 1.18.0, loql-marketplace 1.0.4, @syman/ark-mobile-cli 1.0.5, loql-marketplace@1.0.4, etc.).
As such, issues CVE-2020-28500 and CVE-2021-23337 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade release-it from version 13.7.1 to (>=14.5.0). For instance, release-it@13.7.1 is introduced into the above projects via the following package dependency paths:
(1)
loql-marketplace@1.0.4 ➔ @crystallize/node-vipps@0.1.4 ➔ release-it@13.7.1 ➔ lodash@4.17.20
......
The projects such as @crystallize/node-vipps, which introduced release-it@13.7.1, are not maintained anymore. These unmaintained packages can neither upgrade release-it nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerabilities from package release-it@13.7.1?
Suggested Solution
Since these inactive projects set a version constaint 13.7.* for release-it on the above vulnerable dependency paths, if release-it removes the vulnerabilities from 13.7.1 and releases a new patched version release-it@13.7.2, such a vulnerability patch can be automatically propagated into the 68 affected downstream projects.
In release-it@13.7.2, you can kindly try to perform the following upgrade:
lodash 4.17.20 ➔ 4.17.21
;Note:
lodash@4.17.21(>=4.17.21) has fixed the vulnerabilities (CVE-2020-28500 and CVE-2021-23337)
Thank you for your contributions.
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: