Arbitrary Code Execution in underscore via a transitive dependency on nomnom

cameronhunter / local-ssl-proxy

Simple SSL HTTP proxy using a self-signed certificate. Intended for local development only.

MIT License

690 stars 66 forks source link

Closed akoumany closed 1 year ago

akoumany commented 2 years ago

Hi there @cameronhunter

Huge thanks for putting this together. Dependabot found a vulnerability in underscore@~1.6.0 via a transitive dependency on nomnom@1.8.1.

I see that nomnom is 10 years old and unmaintained, any plans to update packages?

If not, do you have time to review and merge a fix if I put in the work?

cameronhunter commented 1 year ago

I've removed the dependency on nomnom in v2.0.0