nativescript-dev-appium icon indicating copy to clipboard operation
nativescript-dev-appium copied to clipboard

Published 20 hours ago verified publisher icon NativeScript

Vulnerability in underscore dependency

Open matt-cooper opened this issue 4 years ago • 0 comments

Environment Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project:

  • CLI: 7.2.0
  • Cross-platform modules: 7.3.0
  • Android Runtime: 7.0.1
  • iOS Runtime: 7.2.0
  • Plugin(s): 6.1.3

Describe the bug The GitHub Dependabot reports that the "underscore" depenency of "nativescript-dev-appium" has a vulnerability: The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized. More info at: https://github.com/advisories/GHSA-cf4h-3jhx-xvhq

To Reproduce Add nativescript-dev-appium to a NativeScript project. Look in package-lock to see dependency chain: "nativescript-dev-appium" version 6.1.3 uses "frame-comparer": "^2.0.1" which uses "blink-diff": "^1.0.13" which uses "pngjs-image": "~0.11.5" which uses "underscore": "1.7.0"

Expected behavior Dependency chain using "underscore" version 1.12.1 or newer (as per the github advisory link above).

Sample project

Additional context

matt-cooper avatar May 10 '21 15:05 matt-cooper