underscore.js-1.12.0 has vulnerability #9222

tk0miya · 2021-05-12T17:10:58Z

Describe the bug

underscore.js has a security announcement ( CVE-2021-23358 ) for arbitrary code execution. Unfortunately this is fixed in underscore 1.12.1, but Sphinx-4.0.1 is still on 1.12.0.

refs: https://groups.google.com/g/sphinx-users/c/0ukmuNwtNqM

To Reproduce
N/A

Expected behavior
Upgrade it to the latest one.

Your project
N/A

Screenshots
N.A

Environment info
N/A

underscore.js 1.12.0 has a security announcement (CVE-2021-23358) for arbitrary code execution. So it should be upgraded to the latest version.

tk0miya · 2021-05-12T17:12:29Z

refs: https://underscorejs.org/#changelog

Fix #9222: Update Underscore.js to 1.13.1

tk0miya added the type:bug label May 12, 2021

tk0miya added this to the 4.0.2 milestone May 12, 2021

tk0miya added a commit to tk0miya/sphinx that referenced this issue May 12, 2021

Fix sphinx-doc#9222: Update Underscore.js to 1.13.1

a8c63f7

underscore.js 1.12.0 has a security announcement (CVE-2021-23358) for arbitrary code execution. So it should be upgraded to the latest version.

tk0miya mentioned this issue May 12, 2021

Fix #9222: Update Underscore.js to 1.13.1 #9223

Merged

tk0miya added a commit that referenced this issue May 15, 2021

Merge pull request #9223 from tk0miya/underscore.js-1.13.1

1ab7e28

Fix #9222: Update Underscore.js to 1.13.1

tk0miya closed this as completed May 15, 2021

github-actions bot locked as resolved and limited conversation to collaborators Jul 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

underscore.js-1.12.0 has vulnerability #9222

underscore.js-1.12.0 has vulnerability #9222

tk0miya commented May 12, 2021

tk0miya commented May 12, 2021

underscore.js-1.12.0 has vulnerability #9222

underscore.js-1.12.0 has vulnerability #9222

Comments

tk0miya commented May 12, 2021

tk0miya commented May 12, 2021