Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Medium severity vulnerability found in lodash #1620

Closed
dep-deprecated opened this issue Feb 4, 2019 · 4 comments
Closed

Medium severity vulnerability found in lodash #1620

dep-deprecated opened this issue Feb 4, 2019 · 4 comments

Comments

@dep-deprecated
Copy link

@dep-deprecated dep-deprecated commented Feb 4, 2019

snyk reports a Regular Expression Denial of Service vulnerability on one of your dependencies, lodash 4.17.5.

✗ Medium severity vulnerability found in lodash
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-JS-LODASH-73639
  Introduced through: snyk@1.89.0
  From: snyk@1.89.0 > lodash@4.17.5
  Remediation:
    Your dependencies are out of date, otherwise you would be using a newer version of lodash. 
    Try deleting node_modules, reinstalling and running `snyk test` again. If the problem persists, one of your dependencies may be bundling outdated modules.

and

Analyzing npm dependencies for package.json
Querying vulnerabilities database...
Tested 255 dependencies for known vulnerabilities, found 3 vulnerabilities, 23 vulnerable paths.

? 2 vulnerabilities introduced via async@2.6.1
- info: https://snyk.io/package/npm/async/2.6.1

Thanks in advance!

@dscalzi
Copy link

@dscalzi dscalzi commented Feb 8, 2019

Bump

@aearly
Copy link
Collaborator

@aearly aearly commented Feb 9, 2019

@dscalzi
Copy link

@dscalzi dscalzi commented Feb 10, 2019

I think a simple patch update would do the trick.

image

or set v3.0.0 as latest on npm, as currently it's just next and not shown by npm outdated

@aearly
Copy link
Collaborator

@aearly aearly commented Feb 12, 2019

Updating lodash was no issue, I've published v2.6.2 with the update.

@aearly aearly closed this as completed Feb 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants