Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command Injection in lodash package #478

Closed
palisadoes opened this issue Feb 17, 2022 · 0 comments
Closed

Command Injection in lodash package #478

palisadoes opened this issue Feb 17, 2022 · 0 comments
Labels
bug Something isn't working good first issue Good for newcomers security Security fix unapproved Unapproved for Pull Request

Comments

@palisadoes
Copy link
Contributor

Describe the bug

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

We need to upgrade to the earliest fixed version 4.17.21

Note easygraphql-tester@5.1.6 requires lodash@4.17.15 via a transitive dependency on @graphql-toolkit/common@0.10.4

You will need to upgrade other packages to satisfy fixing this bug.
@palisadoes palisadoes added the bug Something isn't working label Feb 17, 2022
@github-actions github-actions bot added the unapproved Unapproved for Pull Request label Feb 17, 2022
@palisadoes palisadoes added good first issue Good for newcomers security Security fix labels Mar 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers security Security fix unapproved Unapproved for Pull Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@palisadoes