xmlbuilder@2.6.2 has a vulnerability

IBM / ibm-cos-sdk-js

ibm-cos-sdk-js

Apache License 2.0

38 stars 19 forks source link

xmlbuilder@2.6.2 has a vulnerability #25

Closed ceastman-ibm closed 6 years ago

ceastman-ibm commented 6 years ago

✗ Low severity vulnerability found on lodash@3.5.0

desc: Prototype Pollution
info: https://snyk.io/vuln/npm:lodash:20180130
from: ibm-cos-sdk@1.2.0 > xmlbuilder@2.6.2 > lodash@3.5.0 Upgrade direct dependency xmlbuilder@2.6.2 to xmlbuilder@4.2.1 (triggers upgrades to lodash@4.17.5)

seamus-mcgrath commented 6 years ago

Hi @ceastman-ibm we will update the library & test internally before releasing it within the SDK.

seamus-mcgrath commented 6 years ago

Jira created CSAFE-37098, I do not have an ETA on release, it will have to get prioritised.

ceastman-ibm commented 6 years ago

@smcgrath-IBM any update on this request?

paul-carron commented 6 years ago

@ceastman-ibm we're still investigating but don't yet have a planned into a release. I'll escalate and update this ticket when I have more information.

ceastman-ibm commented 6 years ago

@smcgrath-IBM @paul-carron any update?

paul-carron commented 6 years ago

@ceastman-ibm we're hoping to have it in the next release.

ceastman-ibm commented 6 years ago

@paul-carron when is the next release scheduled for?

hegdehr commented 6 years ago

@paul-carron Could you provide an update on this once the release is confirmed?

barry-hueston commented 6 years ago

Hi @ceastman-ibm this issue has been resolved in the latest public release of the Node.js SDK. Version 1.2.2.

Please let us know if you have any further issues with this.