GeoIP2-node icon indicating copy to clipboard operation
GeoIP2-node copied to clipboard

Published 20 hours ago verified publisher icon maxmind

lodash version is vulnerable

Open aeimer opened this issue 3 years ago • 1 comments

Environment

  • OS Version(s): ...
  • Node Version(s): ...
  • GeoIP2-node Version(s): ...

Questionnaire

I'm using GeoIP2-node for...

  • [ ] ...database lookups.
  • [x] ...web service calls.

Requested priority:

  • [ ] Blocking
  • [x] High
  • [ ] Normal
  • [ ] Low

Willing to submit pull request:

  • [ ] Yes
  • [ ] No
  • [x] depending on solution

Expected Behavior

Not use vulnerable libs.

Actual Behavior

Using vulnerable libs.

Steps to Reproduce the Bug

https://github.com/lodash/lodash/issues/5499

aeimer avatar Oct 10 '22 13:10 aeimer

@aeimer Thank you for reporting this. This should be an easy fix, as lodash.set is only being used 4 times.

kevcenteno avatar Oct 11 '22 20:10 kevcenteno

Great. Many thanks!

aeimer avatar Oct 18 '22 06:10 aeimer

@kevcenteno can we tag the new version and deploy it therefore?

aeimer avatar Oct 26 '22 11:10 aeimer

@aeimer Deployed! https://github.com/maxmind/GeoIP2-node/releases/tag/v3.5.0 https://www.npmjs.com/package/@maxmind/geoip2-node/v/3.5.0

kevcenteno avatar Oct 28 '22 16:10 kevcenteno