search

dtabuenc / karma-html-reporter

Karma Html Reporter Plugin
MIT License
45 stars 30 forks source link

Update lodash, to address npm audit results #42

Open ntdaley opened 5 years ago

ntdaley commented 5 years ago

Running npm audit on a project that uses karma-html-reporter includes output like:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 80dd5990e7597a6d3477fd57c9c80cb2efe87974eb098711a1cf87cab15… │
│               │ [dev]                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ 80dd5990e7597a6d3477fd57c9c80cb2efe87974eb098711a1cf87cab15… │
│               │ > karma-html-reporter > lodash                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/782                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

If dependency on lodash gets updated, then there'd be no issues reported for karma-html-reporter.

Karthikvenkat86 commented 5 years ago

any update on the above mentioned issue?

I see the latest version of lodash has been updated in package.json or source file but its getting overwritten to lodash@2.2.1 after do npm i karma-html-reporter

yzini-eagle commented 4 years ago

I'm getting having the same issues as the mentioned above.

lechen26 commented 4 years ago

same here, lodash is still on 2.2.1 when installing latest 0.2.7 package

HarshSainiJobvite commented 3 years ago

evn after updating lodash version, package version is still 0.2.7.

maks-humeniuk commented 2 years ago

I'm having the same issue in 0.2.7, and it's critical now.

Critical        Prototype Pollution in lodash
Package         lodash
Patched in      >=4.17.12
Dependency of   karma-html-reporter [dev]
Path            karma-html-reporter > lodash
More info       https://github.com/advisories/GHSA-jf85-cpcp-j695
More info       https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
CharlotteZheng commented 1 year ago

Any updates on this?

kvulpetti commented 6 months ago

i'm also looking for updates