This repository has been archived by the owner on May 22, 2024. It is now read-only.
[Snyk: High] lodash command injection (due 02/03/2022) #643
Assignees
Labels
Milestone
Comments
pkfec
added
Security: high
pkfec
changed the title
This was referenced Dec 22, 2021
1 task
|
updated lodash version to 4.17.21 in package.json. |
1 task
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Overview
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.
Affected versions of this package are vulnerable to Command Injection via template
https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724
Detailed paths:
Introduced through: fec-eregs@1.0.0 › node-sass@7.0.0 › lodash@4.17.19
Fix: Your dependencies are out of date, otherwise you would be using a newer lodash than lodash@4.17.19. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: fec-eregs@1.0.0 › node-sass@7.0.0 › sass-graph@2.2.5 › lodash@4.17.19
Fix: Your dependencies are out of date, otherwise you would be using a newer lodash than lodash@4.17.19. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: fec-eregs@1.0.0 › node-sass@7.0.0 › gaze@1.1.3 › globule@1.3.2 › lodash@4.17.19
Fix: Your dependencies are out of date, otherwise you would be using a newer lodash than lodash@4.17.19. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Remediation:
Upgrade lodash@4.17.21
Completion criteria:
The text was updated successfully, but these errors were encountered: