Prototype Pollution for dependencies with "lodash" #155
Comments
|
I'm not sure how soon this will be resolved if at all, as it seems like there's not a lot of movement in this repository. If anybody finds an alternative package without this dependency on a vulnerable version of |
|
@thun88 hm looks like this was raised a year ago as well in this issue. I haven't dug into it yet but it seems like this may be an up to date fork/alternative. |
ghost
mentioned this issue
|
Done in #157. Can you please take a look? |
Hi Jantimon, |
|
Thanks for the feedback 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Jantimon,
I just want to report you an "npm audit" from one of my projects.
I'm using
"lodash": "^4.17.14",
"favicons-webpack-plugin": "0.0.9",
Here below the log:
High Prototype Pollution
Package lodash
Patched in >=4.17.11
Dependency of favicons-webpack-plugin [dev]
Path favicons-webpack-plugin > favicons > cheerio > lodash
More info https://npmjs.com/advisories/782
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of favicons-webpack-plugin [dev]
Path favicons-webpack-plugin > favicons > cheerio > lodash
More info https://npmjs.com/advisories/577
Low Regular Expression Denial of Service
Package debug
Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0
Dependency of favicons-webpack-plugin [dev]
Path favicons-webpack-plugin > favicons > node-rest-client >
debug
More info https://npmjs.com/advisories/534
The text was updated successfully, but these errors were encountered: