Update package.json - Security Fix

[AlAyoub]

Current versions of underscore have a a vulnerability. The most recent non-vulnerable version is 1.3.1 and that is why it is specified that way.

[pmuellr]

Current versions of underscore have a a vulnerability. The most recent non-vulnerable version is 1.3.1 and that is why it is specified that way.

Where did you get this information?

Downgrading that many releases seems ... bad. Seems like that was right before changes to _.template in 1.3.3, which seems ... not great.

I just looked at https://snyk.io/vuln/npm:underscore and ... looks clean to me!

The current version that should get picked up is 1.9.x

So ... this PR doesn't look like something that should be merged.

[AlAyoub]

@pmuellr This issue opened up early this morning in Sonar Nexus.

I dug a little deeper and it appears the issue is that underscore is using a lodash script in underscore-min.js. This issue was recently resolved in Lodash 4.17.21, however, it looks like underscore will need to manually fix this issue since it's the actual script versus the lodash package.

https://github.com/lodash/lodash/issues/5083

With that said, even if underscore fixes the issue in the newest release, cfenv is restricting the version of underscore to 1.9.x which means it will not see the update as the fix would be in version 1.12.x.

Let me know if you need me to clarify or give more information, thanks.

[pmuellr]

Thanks for the info. A better fix will be to upgrade to some newer version of underscore, so let's wait for that to happen.

Can you provide a link to the Sonar Nexus vulnerability?

[AlAyoub]

I can't post the actual nexus link because it's thru a corporation, only works internally...however, here is the CVE that is references 3 times.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337

Also, it's seeing the vulnerability in underscore-min.js.

[pmuellr]

Here's a PR that updates all the dependencies, but also bumps the major version since the CoffeeScript code generator now generates code that doesn't run in older Node.js runtimes.

PR https://github.com/cloudfoundry-community/node-cfenv/pull/48

[AlAyoub]

@pmuellr it turns out the security issue report by sonatype in the package underscore was a false alarm. Here are more details and my interaction with the maintainers at underscore:

https://github.com/jashkenas/underscore/issues/2911

I apologize for any inconvenience and thank you for your time and effort.