vorpal icon indicating copy to clipboard operation
vorpal copied to clipboard

Published 20 hours ago verified publisher icon dthree

New vulnerabilities in used old dependencies: inquirer & lodash

Open ale4ko69 opened this issue 4 years ago • 10 comments
trafficstars

npm audit

lodash <=4.17.20 Severity: high Prototype Pollution - https://npmjs.com/advisories/1065 Prototype Pollution - https://npmjs.com/advisories/1523 Command Injection - https://npmjs.com/advisories/1673 Prototype Pollution - https://npmjs.com/advisories/577 Prototype Pollution - https://npmjs.com/advisories/782 No fix available node_modules/vorpal/node_modules/inquirer/node_modules/lodash inquirer <=0.11.4 Depends on vulnerable versions of lodash node_modules/vorpal/node_modules/inquirer vorpal * Depends on vulnerable versions of inquirer node_modules/vorpal

ale4ko69 avatar Aug 26 '21 14:08 ale4ko69

Also running into this. I initially thought the issue was with Inquirer, but it appears they do not have lodash listed as a dependency, so perhaps Vorpal needs to upgrage lodash. Here is a screenshot of the audit output from npm. Screen Shot 2021-09-01 at 11 16 31 AM

TorahG avatar Sep 01 '21 17:09 TorahG

anyone know a maintained fork of vorpal or something similar?

macrozone avatar Jan 25 '22 21:01 macrozone

This is really disappointing. There are currently 17 open pull requests so clearly people are trying to help maintain this. But the project owner appears to have somewhat abandoned it. He even suggests someone "shoot him a note" to help maintain it, but there have been no updates in years. If anyone knows of a maintained fork that is actually published to npm with a unique name, please post.

robross0606 avatar Aug 30 '22 03:08 robross0606