Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security leak in _.template, please update #2915

Closed
jgonggrijp opened this issue Mar 15, 2021 · 4 comments
Closed

Security leak in _.template, please update #2915

jgonggrijp opened this issue Mar 15, 2021 · 4 comments

Comments

@jgonggrijp
Copy link
Collaborator

@jgonggrijp jgonggrijp commented Mar 15, 2021

We were notified of a security issue in _.template, which appears to have existed since Underscore version 1.3.2. The bug was fixed in version 1.12.1 and 1.13.0-2, which I just published. If using NPM, please upgrade to underscore@latest or underscore@preview.

@willdurand
Copy link

@willdurand willdurand commented Mar 19, 2021

@jgonggrijp where is the 1.12.1 tag?

@jgonggrijp
Copy link
Collaborator Author

@jgonggrijp jgonggrijp commented Mar 19, 2021

@willdurand I intentionally postponed pushing that in order to give people who want to exploit the leak less to go on. I'll let you know when I push it.

@willdurand
Copy link

@willdurand willdurand commented Mar 19, 2021

thanks

jgonggrijp added a commit that referenced this issue Mar 29, 2021
@jgonggrijp
Copy link
Collaborator Author

@jgonggrijp jgonggrijp commented Mar 29, 2021

@willdurand The tag is online now.

ttc229 pushed a commit to ttc229/spritesheet-templates that referenced this issue Apr 26, 2021
Our project flagged a Security Vulnerability in the underscore dependency jashkenas/underscore#2915 which is hoisted via spritesheet-templates.

The current package.json uses "underscore": "~1.4.2". The fix for the underscore vulnerability is in versions 1.12.1,1.13.0-2.
twolfson pushed a commit to twolfson/spritesheet-templates that referenced this issue Apr 27, 2021
Our project flagged a Security Vulnerability in the underscore dependency jashkenas/underscore#2915 which is hoisted via spritesheet-templates.

The current package.json uses "underscore": "~1.4.2". The fix for the underscore vulnerability is in versions 1.12.1,1.13.0-2.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants