Describe the bug
After the security fixes on NPM dependencies made by #155 and #156, there still two remaining issues on lodash (< 4.17.13) and js-yaml (< 3.13.1). Those vulnerabilities are in the project because they're included in other dependencies which can't be upgraded.
This issue is here to keep track and make sure that those vulnerabilities will be patched when new versions of dependencies will be available.
inject-loader : Vulnerabilities present because this dependency still use babel v6. Babel has fixed the vulnerability in v7, but this is still not integrated in inject-loader: https://github.com/plasticine/inject-loader/issues/62
Describe the bug After the security fixes on NPM dependencies made by #155 and #156, there still two remaining issues on
lodash
(< 4.17.13) andjs-yaml
(< 3.13.1). Those vulnerabilities are in the project because they're included in other dependencies which can't be upgraded.This issue is here to keep track and make sure that those vulnerabilities will be patched when new versions of dependencies will be available.
Here is some infos on those dependencies :
html-webpack-plugin
: It seems that this vulnerabilities is fixed & merged in master. Will be released in the next version ? (https://github.com/jantimon/html-webpack-plugin/pull/1270)inject-loader
: Vulnerabilities present because this dependency still use babel v6. Babel has fixed the vulnerability in v7, but this is still not integrated ininject-loader
: https://github.com/plasticine/inject-loader/issues/62karma
has fixed the lodash vulnerability but it still uses another one which import it (log4js
). https://github.com/karma-runner/karma/issues/3349eslint-vue-plugin
: https://github.com/vuejs/eslint-plugin-vue/issues/920To Reproduce
client/
foldernpm ls lodash
andnpm ls js-yaml
.Expected behavior All the vulnerabilities are patched.
Screenshots
Environment All