Node.js package-lock.json : library: lodash v4.17.19, HIGH severity vulnerability id: NSWG-ECO-516 , title : Allocation of Resources Without Limits or Throttling #588
Labels
kind/security-advisory
Categorizes issue or PR as related to security advisories.
Description
Trivy is reporting a HIGH severity vulnerability in the Lodash library v4.17.19 (NSWG-ECO-516: Allocation of Resources Without Limits or Throttling). From what I gather, the problem stemmed from the zipObjectDeep function within Lodash and has now been fixed in v4.17.19. However, Trivy is still reporting it as a HIGH severity vulnerability.
Lodash PR: lodash/lodash#4759
Npm advisory: https://www.npmjs.com/advisories/1523
Please could you let me know if vulnerability is fixed and if so when the Trivy db will be updated?
What did you expect to happen?
Vulnerability NSWG-ECO-516 to not be flagged for Lodash v4.17.19.
What happened instead?
Vulnerability NSWG-ECO-516 is flagged as HIGH severity for Lodash v4.17.19.
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
The text was updated successfully, but these errors were encountered: