express-oauth-server icon indicating copy to clipboard operation
express-oauth-server copied to clipboard

Published 20 hours ago verified publisher icon oauthjs

Update Lodash to 4.17.21

Open adriendomoison opened this issue 3 years ago • 2 comments

To avoid critical security issues, lodash need to be updated to 4.17.21 urgently.

https://snyk.io/test/npm/lodash/4.17.20

adriendomoison avatar Jul 28 '21 02:07 adriendomoison

Any news on this?

spuxx-dev avatar Mar 17 '22 08:03 spuxx-dev

Same.

$ npm audit

lodash  <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
No fix available
node_modules/lodash
  oauth2-server  <=3.1.1
  Depends on vulnerable versions of lodash
  node_modules/oauth2-server
    express-oauth-server  *
    Depends on vulnerable versions of oauth2-server
    node_modules/express-oauth-server


3 vulnerabilities (2 high, 1 critical)

Some issues need review, and may require choosing
a different dependency.

ybhwang avatar May 30 '22 03:05 ybhwang