grunt-assemble icon indicating copy to clipboard operation
grunt-assemble copied to clipboard

Published 20 hours ago verified publisher icon assemble

lodash and minimatch vulnerabilities

Open ChadRidings opened this issue 6 years ago • 4 comments

Dependencies need to be updated (grunt-assemble": "^0.6.3) See the following when running an audit...

High: Regular Expression Denial of Service Package: minimatch
Patched in: >=3.0.2
Dependency of: grunt-assemble [dev] Paths:

  • grunt-assemble
  • gray-matter > fs-utils > globule > glob > minimatch
  • grunt-assemble > gray-matter > fs-utils > globule > minimatch
  • grunt-assemble > resolve-dep > cwd > findup-sync > glob > minimatch
  • grunt-assemble > resolve-dep > globby > glob > minimatch

Low: Prototype Pollution
Package: lodash Patched in: >=4.17.5
Dependency of: grunt-assemble [dev] Paths:

  • grunt-assemble
  • gray-matter > delims > lodash
  • grunt-assemble > gray-matter > fs-utils > globule > lodash
  • grunt-assemble > gray-matter > fs-utils > lodash
  • grunt-assemble > gray-matter > lodash
  • grunt-assemble > lodash
  • grunt-assemble > resolve-dep > cwd > findup-sync > lodash

ChadRidings avatar Sep 14 '18 19:09 ChadRidings

@ChadRidings Thanks for the issue! If you're reporting a bug, please be sure to include:

  • The version of assemble you are using.
  • Your assemblefile.js (This can be in a gist)
  • The commandline output. (Screenshot or gist is fine)
  • What you expected to happen instead.

assemblebot avatar Sep 14 '18 19:09 assemblebot

Is this project dead? Those dependencies with security issues are unfixed since two years.

therealshark avatar Aug 27 '20 11:08 therealshark

I would be interested in that too. Currently grunt-assemble has 30+ vulnerabilities. Will this be fixed one happy day?

olegmeglin avatar Sep 10 '20 13:09 olegmeglin

Bumping this thread. Currently running into lots of vulnerabilities with this library as well.

dprensha avatar Feb 09 '23 18:02 dprensha