Closed RichardMcSorley closed 3 years ago
This package declares a dependency on "underscore": "^1.9.2"
This means the latest version of underscore 1.x will be installed when you install cordova. Because the patch is landed in 1.13.0
, NPM will install this version for Cordova as it satisfies the declared version, therefore Cordova is not affected by this vulnerability. You however may need to reinstall Cordova so that NPM will install the latest versions of each dependency and sub-dependencies.
@breautek Thanks for the prompt reply.
Thought that was the case and had some trouble with my local npm but now all is as expected.
For those affected by this simply run
npm uninstall cordova-android
npm install cordova-android
Run for cordova-ios if you are using that dependency also.
A security vulnerability was detected for underscore <= 1.12.0 according to my code scanner.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
My applications do not use underscore and seems this only came as a potential risk because I'm using this library via cordova.
Any suggestions are appreciated, Thanks!
Apache Cordova uses GitHub Issues as a feature request and bug tracker only. For usage and support questions, please check out the resources below. Thanks!
You can get answers to your usage and support questions about Apache Cordova on:
cordova
If you are using a tool that uses Cordova internally, like e.g. Ionic, check their support channels: