Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security vulnerability with using old version of underscore.string #310

Closed
shiup opened this issue Nov 9, 2018 · 9 comments

Comments

@shiup
Copy link

commented Nov 9, 2018

✗ High severity vulnerability found on underscore.string@2.4.0

@robotsrule

This comment has been minimized.

Copy link

commented Nov 20, 2018

I ran into this using Snyk this week as well. I submitted a PR to update the package.json to use a non vulnerable version of argparse.

#312

@janotav

This comment has been minimized.

Copy link

commented Jan 10, 2019

We are affected by this issue as well - remarkable being dependency of grafana. Any chances of getting this merged & released in foreseeable future?

@exoego exoego referenced this issue Jan 20, 2019
@shockey

This comment has been minimized.

Copy link
Collaborator

commented Feb 7, 2019

Chiming in from downstream - this is a concern for us over at Swagger UI as well (cc swagger-api/swagger-ui#5152)

@opatut

This comment has been minimized.

Copy link

commented Feb 18, 2019

The underscore.string dependency comes from argparse < 1.0.0, so argparse version needs to be upgraded. In 1.0.0 argparse switched to lodash and doesn't have this problem anymore. There seems to be no breaking changes for that argparse upgrade.

@uiteoi

This comment has been minimized.

Copy link

commented Feb 25, 2019

@opatut could you do a pull request to upgrade argparse to 1.0.0?

@opatut

This comment has been minimized.

Copy link

commented Feb 25, 2019

There you go ;) Bumped to 1.0.10 because -- why not? There are no reported breaking changes. I ran the tests, they are green.

@opatut

This comment has been minimized.

Copy link

commented Feb 28, 2019

Haha I just realized there are now 4 different PRs for that. One of them also fixed all the travis testing hikkup, so you might want to merge that one (#323) and get this thing green again.

@plroebuck

This comment has been minimized.

Copy link

commented Apr 19, 2019

When should we expect an updated release for this?

@prabuvenkat

This comment has been minimized.

Copy link

commented Jun 3, 2019

When can we expect an update release for this ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.