New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prototype Pollution for dependencies with "lodash" #155
Comments
I'm not sure how soon this will be resolved if at all, as it seems like there's not a lot of movement in this repository. If anybody finds an alternative package without this dependency on a vulnerable version of |
@thun88 hm looks like this was raised a year ago as well in this issue. I haven't dug into it yet but it seems like this may be an up to date fork/alternative. |
Done in #157. Can you please take a look? |
Hi Jantimon, |
Thanks for the feedback 👍 |
Hi Jantimon,
I just want to report you an "npm audit" from one of my projects.
I'm using
"lodash": "^4.17.14",
"favicons-webpack-plugin": "0.0.9",
Here below the log:
High Prototype Pollution
Package lodash
Patched in >=4.17.11
Dependency of favicons-webpack-plugin [dev]
Path favicons-webpack-plugin > favicons > cheerio > lodash
More info https://npmjs.com/advisories/782
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of favicons-webpack-plugin [dev]
Path favicons-webpack-plugin > favicons > cheerio > lodash
More info https://npmjs.com/advisories/577
Low Regular Expression Denial of Service
Package debug
Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0
Dependency of favicons-webpack-plugin [dev]
Path favicons-webpack-plugin > favicons > node-rest-client >
debug
More info https://npmjs.com/advisories/534
The text was updated successfully, but these errors were encountered: