cli
cli copied to clipboard
semantic-release
Prototype Pollution by semantic-release-cli > travis-ci > lodash dependency
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Remediation Update to version 4.17.12 or later.
| High | Prototype Pollution |
|---|---|
| Package | lodash |
| Patched in | >=4.17.11 |
| Dependency of | semantic-release-cli [dev] |
| Path | semantic-release-cli > travis-ci > lodash |
| More info | https://npmjs.com/advisories/782 |
there are other dependencies that require an update
| Moderate | Regular Expression Denial of Service |
|---|---|
| Package | underscore.string |
| Patched in | >=3.3.5 |
| Dependency of | semantic-release-cli [dev] |
| Path | semantic-release-cli > travis-ci > underscore.string |
| More info | https://npmjs.com/advisories/745 |
| Low | Denial of Service |
|---|---|
| Package | mem |
| Patched in | >=4.0.0 |
| Dependency of | semantic-release-cli [dev] |
| Path | semantic-release-cli > npm > libnpx > yargs > os-locale > mem |
| More info | https://npmjs.com/advisories/1084 |
