-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Meteor-embedded underscore library contains vulnerabilities #12673
Comments
There was an effort to remove underscore. See: https://github.com/meteor/meteor/pulls?q=is%3Apr+is%3Aopen+remove+underscore Sounds like those PRs should be merged |
Thanks @jamauro ... I am also using the library on some of my custom code routines... do you have any suggestion as to a good replacement library? Unless newer versions of underscore, that are not vulnerable, are available, I might have to switch. Thanks |
Take a look at lodash or you might be able to just use native JS https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore |
@Grubba27 I think we need to merge as many of the remove underscore PRs as possible for the next release. In the meantime I will update our version of underscore to the latest release before underscore was split from the single file. Already got v1.6 done. Just a note to everyone, Meteor has adjusted underscore in small parts so that needs to be taken into account when doing these upgrades and sadly it isn't as simple as just upping a version number. |
@carlosalvidrez do you know what minimum underscore version we need to clear the warning? |
Hi @StorytellerCZ! It's this:
|
@carlosalvidrez that is strange 1.5.2 > 1.0.13 If it is 1.13.0, then that would make sense, but that one will be quiet difficult as I think that is after the split into multiple packages. I can upgrade up to 1.12.1 reasonably. After that it will become more difficult. UPDATE: 1.9.2 is more realistic target as the first step, as that is the latest version similar to what we have in Meteor. |
Yes, it's strange, puzzled as to why Chrome detects 1.5.2... weird! The version I quoted above is from the meteor "packages" file. |
The Meteor packages internally uses underscore 1.5.2. |
Hey @StorytellerCZ, I agree! could you tag those green underscore PRs so we can work on them for the 2.14 release? |
I'll add them to the milestone. |
Meteor 2.15, updates underscore package to 1.6 (after that I'm having some issues which I need to debug). Will look if there is some other place where we get underscore. |
Hi guys, is there a way for me to upgrade the meter/underscore library to a more modern version? The one that seems to be bundled with meteor 2.12 is being reported by Chrome's Lighthouse as vulnerable (attached screenshot).
Meteor Version 2.12.
Chrome Lighthouse inspection reports a vulnerability in the underscore library.
I have it added as "underscore" in the packages file.
The text was updated successfully, but these errors were encountered: