Npm audit reports Prototype Pollution vulnerability

OctopusDeploy / gulp-octo

⛔️ DEPRECATED A gulp wrapper for octopack library to push projects to Octopus Deploy

http://www.octopus.com

Other

9 stars 12 forks source link

Npm audit reports Prototype Pollution vulnerability #12

Closed mjarosie closed 5 years ago

mjarosie commented 5 years ago

The vulnerability is introduced because of dependency on @octopusdeploy/octopackjs@0.0.7 which in turn depends on lodash@3.10.1

partial output of npm audit:

Patched in      >=4.17.5
Dependency of   @octopusdeploy/gulp-octo [dev]
Path            @octopusdeploy/gulp-octo > @octopusdeploy/octopackjs >
                  zip-stream > archiver-utils > lodash

Snyk report: https://snyk.io/test/npm/@octopusdeploy/gulp-octo

As snyk suggests, the remedy would be to upgrade @octopusdeploy/octopackjs dependency to version 0.1.0.

aittomakia commented 5 years ago

There seems to multiple Moderate and Low level vulnerabilities regarding Lodash. Any chance the Lodash dependencies could be updated?

Although this repository looks pretty inactive so i would not get my hopes up

zentron commented 5 years ago

Have updated gulp dependencies and npm audit looks clean (as of time of writing)