search

bholloway / resolve-url-loader

Webpack loader that resolves relative paths in url() statements based on the original source file
563 stars 71 forks source link

auditjs vulnerability warning #109

Closed sirudog closed 5 years ago

sirudog commented 5 years ago

Hello,

I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts. This generates a vulnerability report for the package dependencies my project uses. When the audit command is executed, it reports two warnings about lodash referenced by resolve-url-loader package. The issue is mainly about resolve-url-loader using older/vulnerable version of lodash.default package. My question is if resolve-url-loader could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated.

Here is the output of auditjs:

------------------------------------------------------------
[873/1242] lodash.defaults 4.2.0  [VULNERABLE]   2 known vulnerabilities affecting installed version

[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /resolve-url-loader/lodash.defaults

CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.

ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /resolve-url-loader/lodash.defaults
------------------------------------------------------------