SAP / spartacus

Spartacus is a lean, Angular-based JavaScript storefront for SAP Commerce Cloud that communicates exclusively through the Commerce REST API.
Apache License 2.0
744 stars 389 forks source link

Sec Alert. lodash.template. Increase Version to 4.5.0. Prototype Pollution #6288

Closed giancorderoortiz closed 4 years ago

giancorderoortiz commented 4 years ago

The following security alert has been risen by github.

Alert: https://github.com/SAP/cloud-commerce-spartacus-storefront/network/alert/yarn.lock/lodash.template/open

Severity: critical-severity

Request: Upgrade lodash.template to version 4.5.0 or later

Motive: Affected versions of lodash are vulnerable to Prototype Pollution. See CVE-2019-10744 https://github.com/advisories/GHSA-jf85-cpcp-j695

Additional comments: If decision is to dismiss, please provide concrete justification for further assessment during peer review.

tobi-or-not-tobi commented 4 years ago

fixed with #6299

giancorderoortiz commented 4 years ago

agreed