font-loader icon indicating copy to clipboard operation
font-loader copied to clipboard

Published 20 hours ago verified publisher icon izaakschroeder

security issue

Open liyokuna opened this issue 6 years ago • 3 comments

Hello,

I am using the latest release of this package on my Angular project. Recently, I received some warning messages about two of your dependencies that needed to be updated in order to match security requirement.

Here is a the list :

Package underscore.string

Patched in >=3.3.5

Dependency of font-loader [dev]

Path font-loader > ttf2eot > argparse > underscore.string

More info https://nodesecurity.io/advisories/745

Package lodash

Patched in >=4.17.5

Dependency of font-loader [dev]

Path font-loader > svg2ttf > lodash

More info https://nodesecurity.io/advisories/577

It will be great to have another release matching those security expectation. When the next release will be made ?

liyokuna avatar Jan 23 '19 13:01 liyokuna

In my case npm audit shows these vulnerable packages.

font-loader > lodash font-loader > option-multiplexer > lodash font-loader > svg2ttf > lodash font-loader > ttf2eot > argparse > underscore.string font-loader > ttf2woff > argparse > underscore.string

What I should say is that not all of these security issues can be fixed within this package.

font-loader > lodash - can be fixed, this needs code migration to lodash 4.x font-loader > option-multiplexer > lodash - cannot be fixed, option-multiplexer itself requires lodash "^3.8.0" (but fortunately @izaakschroeder maintains option-multiplexer too) font-loader > svg2ttf > lodash - can and will be fixed along with the first issue, as svg2ttf requires lodash "^4.17.10" font-loader > ttf2eot > argparse > underscore.string - can be fixed by upgrading to ttf2eot 2.x, as it depends on newer argparse, which in turn do not require underscore/lodash no more font-loader > ttf2woff > argparse > underscore.string - can be fixed by upgrading to ttf2woff 2.x, same as previous

nicky1038 avatar Jan 28 '19 12:01 nicky1038

I've made a pull request to option-multiplexer repo (fortunately upgrading to lodash 4.17.x breaks nothing there, unlike this package) https://github.com/izaakschroeder/option-multiplexer/pull/1

nicky1038 avatar Jan 28 '19 14:01 nicky1038

Thank @nicky1038, I hope @izaakschroeder will review and accept your PR. I run into those similar issue security as you now.

liyokuna avatar Jan 31 '19 10:01 liyokuna