search

dciccale / grunt-processhtml

Process html files at build time to modify them depending on the release environment
MIT License
407 stars 30 forks source link

Lodash security issue #120

Open hkernbach opened 4 years ago

hkernbach commented 4 years ago

Lodash dependency needs to be raised, see:

High:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-processhtml [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-processhtml > htmlprocessor > lodash                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/782                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-processhtml [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-processhtml > htmlprocessor > lodash                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Low:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-processhtml [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-processhtml > htmlprocessor > lodash                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/577                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
june07 commented 4 years ago

@dciccale Any chance we can get someone to accept https://github.com/dciccale/grunt-processhtml/pull/122... Is this still supported? If not... a replacement recommended? Thanks.

june07 commented 4 years ago

@dciccale Any chance we can get someone to accept #122... Is this still supported? If not... a replacement recommended? Thanks.

@marcobiedermann ...

marcobiedermann commented 3 years ago

@june07

I'm sorry but I am not a maintainer of this project and therefore can not approve the changes. In general, the update looks good to me.

I guess @dciccale can help out

dciccale commented 3 years ago

122 has been merged.

parasyte commented 3 years ago

A new vulnerability was patched with #124

  High            Command Injection
  Package         lodash
  Patched in      >=4.17.21
  Dependency of   grunt-processhtml [dev]
  Path            grunt-processhtml > htmlprocessor > lodash
  More info       https://npmjs.com/advisories/1673