search

Nyalab / caniuse-api

request the caniuse data to check browsers compatibilities
MIT License
356 stars 27 forks source link

auditjs vulnerability warnings #81

Open sirudog opened 5 years ago

sirudog commented 5 years ago

Hello,

I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts. This generates a vulnerability report for the package dependencies my project uses. When the audit command is executed, it reports several warnings about lodash referenced by caniuse-api package. The issue is mainly about caniuse-api using older/vulnerable version of lodash packages. My question is if caniuse-api could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated.

Here is the output of auditjs:

------------------------------------------------------------
[161/1242] lodash.uniq 4.5.0  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /css-loader/cssnano/postcss-merge-rules/caniuse-api/lodash.uniq

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /css-loader/cssnano/postcss-merge-rules/caniuse-api/lodash.uniq
------------------------------------------------------------
[448/1242] lodash.memoize 4.1.2  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /css-loader/cssnano/postcss-merge-rules/caniuse-api/lodash.memoize

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /css-loader/cssnano/postcss-merge-rules/caniuse-api/lodash.memoize
------------------------------------------------------------
mwleinad commented 4 years ago

Same issue for us. The lodash dependencies are outdated