react-bootstrap-table2
react-bootstrap-table2 copied to clipboard
react-bootstrap-table
Underscore version
Hello,
We are facing vulnerabilities with underscore library version, our security scan says that its version is outdated and suggests us to update it. Since we are not using underscore directly and it comes as a dependency from react-bootstrap-table-next we can't change it. We have been wondering if you still maintain react-bootstrap-table-next, because the last release is from almost a year ago and if you do will you bump underscore version in incoming releases?
Best Regards, Nikolay
I face the same problem. I saw that the underscore dependency is explicitly set to version 1.9.1 so it is not possible to use a newer version (even if I install it as dependency of my package). Underscore has a newer version (1.12.1) which does not have the vulnerability. Do you plan to update it? By the way, I'm using react-bootstrap-table-next's version 3, I'd be very happy if you can bump underscore version in both v4 and v3. But if it's only in v4 then that's good too, at least I'll have a way to solve my problem.
I'm using Parcel 2 to build my React app and the current underscore 1.9.1 is breaking at runtime, because of Parcel's scope hoisting feature. I've checked that underscore 1.13.1 works fine with Parcel's scope hoisting functionality, so I'm really interested in this change.
There was an arbitrary code execution notice posted for this Underscore version today: https://www.npmjs.com/advisories/1674
Any chance of updates?
Noticed that dependabot created a PR (#1612), bumped the version from 1.9.1 to 1.12.1
@AllenFang please merge the dependabot alert. Is this project on active development?
@AllenFang please merge the dependabot alert. Is this project on active development?
@AllenFang any luck? Still Waiting 4 this merge
This is a great project and is on active development, but it is super slow moving at times...
@chunming-c, do you have permission to merge this? Looks nothing has been merged in since Aug 2020 :(
Hello,
We are facing vulnerabilities with underscore library version, our security scan says that its version is outdated and suggests us to update it. Since we are not using underscore directly and it comes as a dependency from react-bootstrap-table-next we can't change it. We have been wondering if you still maintain react-bootstrap-table-next, because the last release is from almost a year ago and if you do will you bump underscore version in incoming releases?
Best Regards, Nikolay
I am also facing the same issue, is any update regarding the same?
Hi Team, do we have any updates for this issue? Still getting the vulnerability issue
For those using yarn & dealing with this vulnerability, you can use resolutions in your package.json.
You are relying on an unmaintained but working package and one of its dependencies got upgraded. You know the upgrade would not break things and you also don’t want to fork the package you are relying on, just to update a minor dependency.
"resolutions": {
"react-bootstrap-table-next/underscore": "1.13.0-2"
},
then run yarn install to fix the dependencies.
Since this repository seems to be no longer maintained, a version fix is unlikely. There have been efforts to fork the repository and maintain the fork (or at least bump the versions of dependencies as needed). The most active one I have found yet is: https://github.com/BonnierNews/react-bootstrap-table2
The maintainer provides a short summary on how to replace the dependency for react-bootstrap-table-next in your package.json making this viable for use with npm as well.
