Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snyk recommendations 12 aug #4743

Open
loqus opened this issue Aug 12, 2019 · 0 comments

Comments

@loqus
Copy link

commented Aug 12, 2019

Description

I ran the public git repository through snyk. It came up with several recommendations

Prototype Pollution
Vulnerable module: lodash.merge
Introduced through: v-tooltip@2.0.0-rc.33
Remediation: Upgrade to v-tooltip@2.0.0
https://app.snyk.io/vuln/SNYK-JS-LODASHMERGE-173732

Cross-site Scripting (XSS)
Vulnerable module: shave
Introduced through: vue-shave@1.0.3
Remediation: Your dependencies are out of date, otherwise you would be using a newer shave than shave@2.5.2. Try relocking your lockfile or deleting node_modules. If the problem persists, one of your dependencies may be bundling outdated modules.
https://app.snyk.io/vuln/SNYK-JS-SHAVE-174318

Prototype Pollution
Vulnerable module: lodash
Introduced through: @pixelandtonic/craftui@0.3.6 and lodash@4.17.11
Remediation: Open PR to patch lodash@4.17.11.
https://app.snyk.io/vuln/SNYK-JS-LODASH-450202

Probable fix(es): run npm update in
vendor/craftcms/cms
and
vendor/craftcms/cms/src/web/assets/pluginstore

Steps to reproduce

  1. Add github repository to snyk.io

Additional info

  • Craft version: github repo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.