IBMStreams / build-ibmstreams

IBM Streams build extension for Atom
https://atom.io/packages/build-ibmstreams
Apache License 2.0
0 stars 3 forks source link

lodash vulnerability found in package-lock.json #64

Open schubon opened 5 years ago

schubon commented 5 years ago

Details

CVE-2019-10744

Vulnerable versions: < 4.17.13 Patched version: 4.17.13

Affected versions of lodash are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Remediation

Upgrade lodash to version 4.17.13 or later. For example:

"dependencies": {
  "lodash": ">=4.17.13"
}

or…

"devDependencies": {
  "lodash": ">=4.17.13"
}

Always verify the validity and compatibility of suggestions with your codebase.