You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
The dependency only comes via jsdoc and we're already using the latest version v3.6.6.
This seems to be already tracked here: jsdoc/jsdoc#1906
If they release a bugfix as v3.6.7, there's nothing to be done by this project. Consumers only need to ensure to update their package-lock files to consume the latest in-range dependencies. Therefore closing this issue.
Hi ,
potential security vulnerability issue in one of dependency underscore@1.10.2
Dependency tree
+-- karma-ui5@2.3.3
| +-- @ui5/fs@2.0.6
| | +-- @ui5/logger@2.0.1
| | |
-- npmlog@4.1.2 | | | +-- are-we-there-yet@1.1.5 | | | | +-- delegates@1.0.0 | | | |
-- readable-stream@2.3.7 deduped| | | +-- console-control-strings@1.1.0
| | | +-- gauge@2.7.4
| | | | +-- aproba@1.2.0
| | | | +-- console-control-strings@1.1.0 deduped
| | | | +-- has-unicode@2.0.1
| | | | +-- object-assign@4.1.1 deduped
| | | | +-- signal-exit@3.0.3 deduped
| | | | +-- string-width@1.0.2
| | | | | +-- code-point-at@1.1.0
| | | | | +-- is-fullwidth-code-point@1.0.0
| | | | | |
-- number-is-nan@1.0.1 deduped | | | | |
-- strip-ansi@3.0.1 deduped| | | | +-- strip-ansi@3.0.1 deduped
| | | |
-- wide-align@1.1.3 | | | |
-- string-width@2.1.1 deduped| | |
-- set-blocking@2.0.0 | | +-- clone@2.1.2 deduped | | +-- globby@11.0.3 | | | +-- array-union@2.1.0 | | | +-- dir-glob@3.0.1 | | | |
-- path-type@4.0.0| | | +-- fast-glob@3.2.5
| | | | +-- @nodelib/fs.stat@2.0.4
| | | | +-- @nodelib/fs.walk@1.2.6
| | | | | +-- @nodelib/fs.scandir@2.1.4
| | | | | | +-- @nodelib/fs.stat@2.0.4 deduped
| | | | | |
-- run-parallel@1.2.0 | | | | | |
-- queue-microtask@1.2.3| | | | |
-- fastq@1.11.0 | | | | |
-- reusify@1.0.4| | | | +-- glob-parent@5.1.2
| | | | |
-- is-glob@4.0.1 | | | | |
-- is-extglob@2.1.1| | | | +-- merge2@1.4.1 deduped
| | | | +-- micromatch@4.0.4
| | | | | +-- braces@3.0.2 deduped
| | | | |
-- picomatch@2.2.3 deduped | | | |
-- picomatch@2.2.3 deduped| | | +-- ignore@5.1.8
| | | +-- merge2@1.4.1
| | |
-- slash@3.0.0 | | +-- graceful-fs@4.2.6 deduped | | +-- make-dir@3.1.0 deduped | | +-- micromatch@4.0.4 | | | +-- braces@3.0.2 deduped | | |
-- picomatch@2.2.3 deduped| | +-- minimatch@3.0.4 deduped
| | +-- pretty-hrtime@1.0.3
| |
-- random-int@2.0.1 | +-- @ui5/project@2.3.1 | | +-- @ui5/builder@2.8.2 | | | +-- @ui5/fs@2.0.6 deduped | | | +-- @ui5/logger@2.0.1 deduped | | | +-- cheerio@0.22.0 | | | | +-- css-select@1.2.0 | | | | | +-- boolbase@1.0.0 | | | | | +-- css-what@2.1.3 | | | | | +-- domutils@1.5.1 | | | | | | +-- dom-serializer@0.1.1 deduped | | | | | |
-- domelementtype@1.3.1 deduped| | | | |
-- nth-check@1.0.2 | | | | |
-- boolbase@1.0.0 deduped| | | | +-- dom-serializer@0.1.1
| | | | | +-- domelementtype@1.3.1
| | | | |
-- entities@1.1.2 deduped | | | | +-- entities@1.1.2 | | | | +-- htmlparser2@3.10.1 | | | | | +-- domelementtype@1.3.1 deduped | | | | | +-- domhandler@2.4.2 | | | | | |
-- domelementtype@1.3.1 deduped| | | | | +-- domutils@1.5.1 deduped
| | | | | +-- entities@1.1.2 deduped
| | | | | +-- inherits@2.0.3 deduped
| | | | |
-- readable-stream@3.6.0 | | | | | +-- inherits@2.0.3 deduped | | | | | +-- string_decoder@1.1.1 deduped | | | | |
-- util-deprecate@1.0.2 deduped| | | | +-- lodash.assignin@4.2.0
| | | | +-- lodash.bind@4.2.1
| | | | +-- lodash.defaults@4.2.0
| | | | +-- lodash.filter@4.6.0
| | | | +-- lodash.flatten@4.4.0
| | | | +-- lodash.foreach@4.5.0
| | | | +-- lodash.map@4.6.0
| | | | +-- lodash.merge@4.6.2
| | | | +-- lodash.pick@4.4.0
| | | | +-- lodash.reduce@4.6.0
| | | | +-- lodash.reject@4.6.0
| | | |
-- lodash.some@4.6.0 | | | +-- escape-unicode@0.2.0 | | | +-- escodegen@2.0.0 | | | | +-- esprima@4.0.1 deduped | | | | +-- estraverse@5.2.0 | | | | +-- esutils@2.0.3 deduped | | | | +-- optionator@0.8.1 deduped | | | |
-- source-map@0.6.1| | | +-- escope@3.6.0
| | | | +-- es6-map@0.1.5
| | | | | +-- d@1.0.1
| | | | | | +-- es5-ext@0.10.53 deduped
| | | | | |
-- type@1.2.0 | | | | | +-- es5-ext@0.10.53 | | | | | | +-- es6-iterator@2.0.3 deduped | | | | | | +-- es6-symbol@3.1.3 deduped | | | | | |
-- next-tick@1.0.0| | | | | +-- es6-iterator@2.0.3
| | | | | | +-- d@1.0.1 deduped
| | | | | | +-- es5-ext@0.10.53 deduped
| | | | | |
-- es6-symbol@3.1.3 deduped | | | | | +-- es6-set@0.1.5 | | | | | | +-- d@1.0.1 deduped | | | | | | +-- es5-ext@0.10.53 deduped | | | | | | +-- es6-iterator@2.0.3 deduped | | | | | | +-- es6-symbol@3.1.1 | | | | | | | +-- d@1.0.1 deduped | | | | | | |
-- es5-ext@0.10.53 deduped| | | | | |
-- event-emitter@0.3.5 deduped | | | | | +-- es6-symbol@3.1.3 | | | | | | +-- d@1.0.1 deduped | | | | | |
-- ext@1.4.0| | | | | |
-- type@2.5.0 | | | | |
-- event-emitter@0.3.5| | | | | +-- d@1.0.1 deduped
| | | | |
-- es5-ext@0.10.53 deduped | | | | +-- es6-weak-map@2.0.3 | | | | | +-- d@1.0.1 deduped | | | | | +-- es5-ext@0.10.53 deduped | | | | | +-- es6-iterator@2.0.3 deduped | | | | |
-- es6-symbol@3.1.3 deduped| | | | +-- esrecurse@4.3.0 deduped
| | | |
-- estraverse@4.3.0 deduped | | | +-- esprima@4.0.1 deduped | | | +-- estraverse@5.1.0 | | | +-- globby@11.0.3 deduped | | | +-- graceful-fs@4.2.6 deduped | | | +-- jsdoc@3.6.6 | | | | +-- @babel/parser@7.13.15 deduped | | | | +-- bluebird@3.7.2 deduped | | | | +-- catharsis@0.8.11 | | | | |
-- lodash@4.17.21 deduped| | | | +-- escape-string-regexp@2.0.0
| | | | +-- js2xmlparser@4.0.1
| | | | |
-- xmlcreate@2.0.3 | | | | +-- klaw@3.0.0 | | | | |
-- graceful-fs@4.2.6 deduped| | | | +-- markdown-it@10.0.0
| | | | | +-- argparse@1.0.10 deduped
| | | | | +-- entities@2.0.3
| | | | | +-- linkify-it@2.2.0
| | | | | |
-- uc.micro@1.0.6 deduped | | | | | +-- mdurl@1.0.1 | | | | |
-- uc.micro@1.0.6| | | | +-- markdown-it-anchor@5.3.0
| | | | +-- marked@0.8.2
| | | | +-- mkdirp@1.0.4
| | | | +-- requizzle@0.2.3
| | | | |
-- lodash@4.17.21 deduped | | | | +-- strip-json-comments@3.1.1 | | | | +-- taffydb@2.6.2 | | | |
-- underscore@1.10.2Thanks,
Rajesh
The text was updated successfully, but these errors were encountered: