Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security vulnerability with using old version of underscore.string #310

Closed
shiup opened this issue Nov 9, 2018 · 9 comments · Fixed by #349
Closed

security vulnerability with using old version of underscore.string #310

shiup opened this issue Nov 9, 2018 · 9 comments · Fixed by #349
Assignees
@shockey

Comments

@shiup
Copy link

shiup commented Nov 9, 2018

✗ High severity vulnerability found on underscore.string@2.4.0
@robotsrule
Copy link

I ran into this using Snyk this week as well. I submitted a PR to update the package.json to use a non vulnerable version of argparse.

#312

@Rosey Rosey mentioned this issue Dec 2, 2018
Closed
@janotav
Copy link

janotav commented Jan 10, 2019

We are affected by this issue as well - remarkable being dependency of grafana. Any chances of getting this merged & released in foreseeable future?

@exoego exoego mentioned this issue Jan 20, 2019
Closed
@shockey
Copy link
Collaborator

shockey commented Feb 7, 2019

Chiming in from downstream - this is a concern for us over at Swagger UI as well (cc swagger-api/swagger-ui#5152)

@opatut
Copy link

opatut commented Feb 18, 2019

The underscore.string dependency comes from argparse < 1.0.0, so argparse version needs to be upgraded. In 1.0.0 argparse switched to lodash and doesn't have this problem anymore. There seems to be no breaking changes for that argparse upgrade.

@uiteoi
Copy link

uiteoi commented Feb 25, 2019

@opatut could you do a pull request to upgrade argparse to 1.0.0?

@opatut opatut mentioned this issue Feb 25, 2019
Closed
@opatut
Copy link

opatut commented Feb 25, 2019
edited

There you go ;) Bumped to 1.0.10 because -- why not? There are no reported breaking changes. I ran the tests, they are green.

@opatut
Copy link

opatut commented Feb 28, 2019
edited

Haha I just realized there are now 4 different PRs for that. One of them also fixed all the travis testing hikkup, so you might want to merge that one (#323) and get this thing green again.

@plroebuck
Copy link

When should we expect an updated release for this?

@prabuvenkat
Copy link

When can we expect an update release for this ?

@claudiopro claudiopro mentioned this issue Jul 8, 2019
Closed
@shockey shockey self-assigned this Jul 19, 2019
This was referenced Jul 19, 2019
Closed
Merged
Merged
@Racer159 Racer159 mentioned this issue Aug 1, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shockey shockey

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

housekeeping: bump argparse dependency to ^1.0.10 jonschlinkert/remarkable
8 participants
@uiteoi @opatut @shockey @robotsrule @prabuvenkat @janotav @plroebuck @shiup