tasksfile icon indicating copy to clipboard operation
tasksfile copied to clipboard
verified publisher icon pawelgalazka

npm install: 3 vulnerabilities (2 low, 1 high)

Open fnbk opened this issue 4 years ago • 4 comments

The current package [email protected] has a vulnerability, because the transitive dependency [email protected] is used in @pawelgalazka/cli more details

Merging the dependabot PR should easily solve this issue.

$ npm audit
# npm audit report

lodash  <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
No fix available
node_modules/@pawelgalazka/cli/node_modules/lodash
  @pawelgalazka/cli  *
  Depends on vulnerable versions of lodash
  node_modules/@pawelgalazka/cli
    tasksfile  *
    Depends on vulnerable versions of @pawelgalazka/cli
    node_modules/tasksfile

3 vulnerabilities (2 low, 1 high)

Some issues need review, and may require choosing
a different dependency.

fnbk avatar Jul 22 '21 17:07 fnbk

@pawelgalazka What do you think? When could you do that?

fnbk avatar Jul 23 '21 12:07 fnbk

@pawelgalazka Any updates? See https://github.com/pawelgalazka/cli/issues/11

henhal avatar Aug 27 '21 07:08 henhal

Six months later and this still causes audit warnings for me, would you consider upgrading lodash via the dependabot PR and/or switching to caret notation for dependencies so that user can override it in their lock files? @pawelgalazka

henhal avatar Mar 04 '22 12:03 henhal

I like the simplicity of this, but it might be time to fork and keep it actively maintained. Audit warnings a year on are a problem.

binaryben avatar Jul 01 '22 02:07 binaryben