search

bevacqua / horsey

:horse: Progressive and customizable autocomplete component
https://bevacqua.github.io/horsey
MIT License
1.17k stars 98 forks source link

Vulnerability report with lodash dependency #74

Open mikemix opened 5 years ago

mikemix commented 5 years ago

During npm install, 2 severity vulnerabilities are introduced (1 moderate, 1 low) when installing horsey:

npm audit gives

                       === npm audit security report ===                        

                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           

  Moderate        Prototype Pollution                                                                                                              
  Package         lodash                                                                                                                            
  Patched in      >=4.17.11                                                                                                                    
  Dependency of   @goguardian/horsey                                                                                                                 
  Path            @goguardian/horsey > lodash                                                                                                       
  More info       https://npmjs.com/advisories/782                              

  Low             Prototype Pollution                                                                              
  Package         lodash                                                                                                                             
  Patched in      >=4.17.5                                                                                                                          
  Dependency of   @goguardian/horsey                                                                                                             
  Path            @goguardian/horsey > lodash                                                                                                  
  More info       https://npmjs.com/advisories/577

Please update! @bevacqua is this library dead?

zewa666 commented 4 years ago

Yes please lets get https://github.com/bevacqua/horsey/pull/78 merged so we can all sleep a bit better. Damn, I see this is a year old issue, any chance @bevacqua you can tell us something about the state of this library and whether you're going to maintain it any longer?