search

TheGoddessInari / hamsket

Free and Open Source messaging and emailing app that combines common web applications into one.
GNU General Public License v3.0
882 stars 54 forks source link

found 1 low severity vulnerability: lodash #59

Open HaleTom opened 6 years ago

HaleTom commented 6 years ago

Steps to reproduce

% npm install --cache "$srcdir/npm-cache"
audited 3082 packages in 4.571s
found 1 low severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Expected behavior

No security vulnerabilities are listed

Actual behavior

% npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ crowdin [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ crowdin > lodash                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 3082 scanned packages
  1 vulnerability requires manual review. See the full report for details.

ENVIRONMENT

% git describe --tags
0.5.17-156-g821e3f5
% uname -a
Linux svelte 4.16.18-1-MANJARO #1 SMP PREEMPT Tue Jun 26 15:27:59 UTC 2018 x86_64 GNU/Linux

Does this happen upstream: yes, no, unknown, or N/A

Unknown

TheGoddessInari commented 6 years ago

It's known due to crowdin (which isn't maintained). It doesn't interact with the application in any way, isn't built in, and is run only if you use it manually from the git tree.

If there's a better/more collaborative translation "thingy" for javascript, I'm all ears, as crowdin seems like a mess.