microsoft
Dependency `loadsh.trimend` is out of date and the dependency has known public CVEs - CVE-2020-28500
loadsh.trimend package is transitive dependency of botbuilder and botbuilder-dialogs.
botbuilder-dialogs --> @microsoft/recognizers-text-suite --> @microsoft/recognizers-text-number --> lodash.trimend
But for loadsh.trimend package https://www.npmjs.com/package/lodash.trimend, version 4.5.1 is already the latest version 8 years ago and seems loadsh.trimend is not maintained any more.
It looks like there was a previous issue where this was potentially fixed but it was not. https://github.com/microsoft/botbuilder-js/issues/4579 Additionally here is a closed issue from lodash https://github.com/lodash/lodash/issues/5643
@ceciliaavila Any update on this?
Hi @cbelsole, we started working on this issue today. Version 1.3 of Recognizers-Text has this issue fixed, but we can't upgrade to that without introducing breaking changes.
@ceciliaavila Any update on this?
Hi @cbelsole, we need to finish testing the fix we did for this. We'll keep you posted.
@ceciliaavila any update on the PR progress or any plan to merge the PR? Thanks.
@ceciliaavila Hi, any update on it? This security vulnerability has been for a couple of years.
@ceciliaavila can you provide an update, and possibly an ETA for this? We (Microsoft) are internally affected by this. Our software is being flagged and the alternative (m365 agents sdk) is not ready for prime time for a migration yet.
@ceciliaavila can you provide an update, and possibly an ETA for this? We (Microsoft) are internally affected by this. Our software is being flagged and the alternative (m365 agents sdk) is not ready for prime time for a migration yet.
Hi @tracyboehrer, there's considerable interest in the fix mentioned in #4818. Do we have any plans for a version release that includes this?
@ceciliaavila ping - I am unable to get @tracyboehrer's attention through MS Teams. Maybe you'll have more luck.