Latest version of plato (1.7.0) using a vulnerable version of lodash (4.13.1) #216
Comments
|
From: https://nodesecurity.io/advisories/577 Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects. Remediation @jsoverson Please fix this. |
|
@jsoverson any chance we can update the dependency to >=4.17.5? |
|
@jsoverson sorry for the direct mentioning again. But any chance we can update the dependency to >=4.17.5 for the matter of security? |
|
+1 please |
|
I totally understand the desire but I'm hesitant to accept and publish any changes because it makes this project appear maintained when it isn't. This project needs active maintainers and there aren't any. If there is a fork that has been generally accepted as the-next-best-repo then I can link to it in the readme. |
|
Shame. Just idea: Maybe write disclaimer “curently not maintained, only security patches” in readme and fix these at least ?
…Sent from my iPhone
On 7 Feb 2019, at 18:12, Jarrod Overson ***@***.***> wrote:
I totally understand the desire but I'm hesitant to accept and publish any changes because it makes this project appear maintained when it isn't. This project needs active maintainers and there aren't any. If there is a fork that has been generally accepted as the-next-best-repo then I can link to it in the readme.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
### REASON vulnerability issue (es-analysis#216)
Hi Everyone,
When running a custom static-code analysis tool, we've found that plato 1.7.0 has lodash 4.13.1 within its dependencies, which is known to have a "Prototype Pollution" vulnerability.
More information here
Thank you,
Alfredo Pardo
The text was updated successfully, but these errors were encountered: