HTML Generated by scribe uses a version of lodash that has had a 9.1 CVE vulnerability since 2019 amongst 5 others

[SeeTwoDev]

Scribe version

4.37.0

Your question

Our internal tool has found that scribe points to lodash-4.17.10.min.js, which is flagged in this advisory: https://github.com/advisories/GHSA-jf85-cpcp-j695

It also includes these: https://github.com/advisories/GHSA-p6mc-m468-83gw https://github.com/advisories/GHSA-35jh-r3h4-6jhm https://github.com/advisories/GHSA-x5rq-j2xg-h7qm https://github.com/advisories/GHSA-4xc9-xhrj-v574 https://github.com/advisories/GHSA-29mw-wpgm-hmr9

Could this please be updated ASAP? Thanks

Docs

• [X] I've checked the docs, the troubleshooting guide, and existing issues, but I didn't find a solution

[shalvah]

Is your application at risk because of these?

[SeeTwoDev]

We have fairly strict security practices in our repos and these get flagged automatically

I manually fixed it in the generated HTML and it still seem to work fine. But you really should just update it.

[shalvah]

It sounds like you're talking about something that benefits you only, but expecting me to dedicate effort and resources to it. Between the two of us, only one person is paid to work with Scribe (or with PHP for that matter), and that's not me.

Thanks for filing a report, but I have very limited time. I'll close this as this is one of those "security vulnerability" that's reported by default, but is pretty benign in practice. If you think it's important, you could send a PR, and I'll review when I'm free.