Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fs-tree-structure is using a lodash.set that has high severity vulnerability! #137

Closed
pedrolamas opened this issue Jan 30, 2024 · 2 comments · Fixed by #138
Closed

fs-tree-structure is using a lodash.set that has high severity vulnerability! #137

pedrolamas opened this issue Jan 30, 2024 · 2 comments · Fixed by #138
Labels
bug Something isn't working

Comments

@pedrolamas
Copy link
Contributor

pedrolamas commented Jan 30, 2024
edited
Loading

Summary

I've noticed the fs-tree-structure is using lodash.set which is 7 years old(!) and has been known to have a high severity vulnerability: GHSA-p6mc-m468-83gw

Reproduction steps

  • Create a new empty folder
  • Inside the new folder, run npm i skott (this is the single package we need to install)
  • Run npm audit and observe results

image

Expected result:

Audit should not report any known vulnerabilities.

Actual result:

Audit reports known vulnerability.

Details

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question Answer
skott installed version? 0.32.0
Operating system? Ubuntu (WSL2 in Windows 11)
Would you consider contributing a PR? Yes
Node.js version (node -v)? v20.9.0
@pedrolamas pedrolamas added the bug Something isn't working label Jan 30, 2024
@pedrolamas
Copy link
Contributor Author

Small addendum to the above, I assume lodash.set is in use to avoid bringing in the whole of lodash, however that is what tree-shaking is for and nowadays lodash is quite optimized for that!

@pedrolamas pedrolamas mentioned this issue Jan 30, 2024
Merged
2 tasks
@antoine-coulon
Copy link
Owner

Hello @pedrolamas, thanks for the heads up and the landed fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: fix lodash vulnerability pedrolamas/skott
2 participants
@pedrolamas @antoine-coulon