karma-html-reporter icon indicating copy to clipboard operation
karma-html-reporter copied to clipboard

Published 20 hours ago verified publisher icon dtabuenc

Update lodash, to address npm audit results

Open ntdaley opened this issue 5 years ago • 7 comments

Running npm audit on a project that uses karma-html-reporter includes output like:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 80dd5990e7597a6d3477fd57c9c80cb2efe87974eb098711a1cf87cab15… │
│               │ [dev]                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ 80dd5990e7597a6d3477fd57c9c80cb2efe87974eb098711a1cf87cab15… │
│               │ > karma-html-reporter > lodash                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/782                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

If dependency on lodash gets updated, then there'd be no issues reported for karma-html-reporter.

ntdaley avatar Mar 20 '19 16:03 ntdaley

any update on the above mentioned issue?

I see the latest version of lodash has been updated in package.json or source file but its getting overwritten to [email protected] after do npm i karma-html-reporter

Karthikvenkat86 avatar Oct 03 '19 11:10 Karthikvenkat86

I'm getting having the same issues as the mentioned above.

yzini-eagle avatar May 01 '20 18:05 yzini-eagle

same here, lodash is still on 2.2.1 when installing latest 0.2.7 package

lechen26 avatar Aug 17 '20 07:08 lechen26

evn after updating lodash version, package version is still 0.2.7.

HarshSainiJobvite avatar Aug 10 '21 07:08 HarshSainiJobvite

I'm having the same issue in 0.2.7, and it's critical now.

Critical        Prototype Pollution in lodash
Package         lodash
Patched in      >=4.17.12
Dependency of   karma-html-reporter [dev]
Path            karma-html-reporter > lodash
More info       https://github.com/advisories/GHSA-jf85-cpcp-j695
More info       https://github.com/advisories/GHSA-x5rq-j2xg-h7qm

maks-humeniuk avatar Feb 16 '22 16:02 maks-humeniuk

Any updates on this?

CharlotteZheng avatar Mar 10 '23 20:03 CharlotteZheng

i'm also looking for updates

kvulpetti avatar Apr 10 '24 21:04 kvulpetti