search

antoine-coulon / skott

All-in-one devtool to automatically analyze, search and visualize project modules and dependencies from JavaScript, TypeScript (JSX/TSX) and Node.js (ES6, CommonJS)
MIT License
669 stars 25 forks source link

fs-tree-structure is using a lodash.set that has high severity vulnerability! #137

Closed pedrolamas closed 9 months ago

pedrolamas commented 9 months ago

Summary

I've noticed the fs-tree-structure is using lodash.set which is 7 years old(!) and has been known to have a high severity vulnerability: https://github.com/advisories/GHSA-p6mc-m468-83gw

Reproduction steps

image

Expected result:

Audit should not report any known vulnerabilities.

Actual result:

Audit reports known vulnerability.

Details

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question Answer
skott installed version? 0.32.0
Operating system? Ubuntu (WSL2 in Windows 11)
Would you consider contributing a PR? Yes
Node.js version (node -v)? v20.9.0
pedrolamas commented 9 months ago

Small addendum to the above, I assume lodash.set is in use to avoid bringing in the whole of lodash, however that is what tree-shaking is for and nowadays lodash is quite optimized for that!

antoine-coulon commented 9 months ago

Hello @pedrolamas, thanks for the heads up and the landed fix!