Closed yoli799480165 closed 6 years ago
I would argue this detected vulnerability is irrelevant: the node modules used by this plugin are used in the context of the offline Cordova build process (as opposed to being in an online environment, e.g. in website JS) and therefore the opportunity for a malicious 3rd party script to exploit the referenced vulnerability would be pointless.
Additionally, the specified low version of lodash is not directly referenced by this plugin, which references ^4.3.0
but indirectly deep down in its dependency tree:
+-- cordova-custom-config@4.0.2
| +-- lodash@4.17.4
| +-- plist@1.2.0
| | +-- base64-js@0.0.8
| | +-- util-deprecate@1.0.2
| | +-- xmlbuilder@4.0.0
| | | `-- lodash@3.10.1
This forked version of plist
is explicitly referenced and cannot be updated due to an unresolved bug in the versions released to npm - see here.
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of cordova-custom-config
Path cordova-custom-config > bc1b0c8409a659a2aa60420bf1c2bf81eef80c3fc2c68d008bd66894d9e…
More info https://nodesecurity.io/advisories/577
found 1 low severity vulnerability in 3804 scanned packages 1 vulnerability requires manual review. See the full report for details.