Nephos
commented
6 years ago Hello,
Vulnerabilities, even low severity ones should not be ignored. Furthermore, the patch should be quick, a simple update of lodash
Open ghost opened 6 years ago
Nephos
commented
6 years ago Hello,
Vulnerabilities, even low severity ones should not be ignored. Furthermore, the patch should be quick, a simple update of lodash
sscots
commented
6 years ago :+1: +1
ethanempe
commented
6 years ago 👍 We are using this and ran into the same vulnerabilities.
Looks like _.where and _.findWhere need to be updated to use _.filter and _.find respectively.
Source: https://github.com/lodash/lodash/issues/1773
ylulloa
commented
6 years ago @ethanempe: what about a PR with that suggestion? :)
plaa
commented
4 years ago As this package seems to be abandoned, I created forked versions of swagger-express-mw, swapper-node-runner and bagpipes which fix all but one minor vulnerability (blocked by #137). I don't plan on maintaining them other than possible occasional lib updates.
You can use patched libs you need by:
"swagger-express-mw": "Vincit/swagger-express#026b9527ebb8402db20bc479ed21e4047f1c45ba",
"swagger-node-runner": "Vincit/swagger-node-runner#427d0a4c43599de4aa03e2b3a359847b1b75cf84"
"bagpipes": "Vincit/bagpipes#b2eb059ba6f87c9185a83646fe5bac48288ccea4",(I always recommend using commit-id locked versions when referring directly to Github repositories.)
npm auditshows for the latest version the following vulnerabilities:The following depencies are used: