GuyPaddock
commented
4 years ago We're using the following resolutions here:
"resolutions": {
"lodash": "^4.17.19",
"node-fetch": "^2.6.1"
},Closed SurealCereal closed 3 years ago
GuyPaddock
commented
4 years ago We're using the following resolutions here:
"resolutions": {
"lodash": "^4.17.19",
"node-fetch": "^2.6.1"
},
furick1
commented
3 years ago Within packages/client-react/package.json there is a reference to lodash 4.17.10. Please update to .11.
Vulnerable module: | lodash Introduced through: | @opuscapita/react-filemanager@1.1.4 › lodash@4.17.10 Fixed in: | 4.17.11 Vulnerable Function: lodash.hasUnicodeWord
Description: lodash is a modern JavaScript utility library delivering modularity, performance, & extras.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 2 seconds per 50k characters.
estambakio-sc
commented
3 years ago Lodash updated in #311, changes are released in 1.1.7. Other dependencies mentioned in first comment are not reported by dependabot as vulnerabilities, therefore these are not updated in scope of this issue.
I am getting warnings from
npm installvianpm audit: Besides those, there are also deprecation warnings, likecore-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.@opuscapita/filemanager-server: ^1.1.1-8 vulnerabilities (3 low, 1 moderate, 4 high)@opuscapita/react-filemanager: ^1.1.1-2 high severity vulnerabilities@opuscapita/react-filemanager-connector-node-v1-0 vulnerabilitiesIn the meantime I am using
npm-force-resolutionsto get around them: