horsey icon indicating copy to clipboard operation
horsey copied to clipboard

Published 20 hours ago verified publisher icon bevacqua

Vulnerability report with lodash dependency

Open mikemix opened this issue 5 years ago • 1 comments

During npm install, 2 severity vulnerabilities are introduced (1 moderate, 1 low) when installing horsey:

npm audit gives

                       === npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                                                                           
  Moderate        Prototype Pollution                                                                                                              
  Package         lodash                                                                                                                            
  Patched in      >=4.17.11                                                                                                                    
  Dependency of   @goguardian/horsey                                                                                                                 
  Path            @goguardian/horsey > lodash                                                                                                       
  More info       https://npmjs.com/advisories/782                              
                                                                                
                                                                                
  Low             Prototype Pollution                                                                              
  Package         lodash                                                                                                                             
  Patched in      >=4.17.5                                                                                                                          
  Dependency of   @goguardian/horsey                                                                                                             
  Path            @goguardian/horsey > lodash                                                                                                  
  More info       https://npmjs.com/advisories/577

Please update! @bevacqua is this library dead?

mikemix avatar Feb 13 '19 08:02 mikemix

Yes please lets get https://github.com/bevacqua/horsey/pull/78 merged so we can all sleep a bit better. Damn, I see this is a year old issue, any chance @bevacqua you can tell us something about the state of this library and whether you're going to maintain it any longer?

zewa666 avatar Feb 07 '20 05:02 zewa666