search

electron / windows-installer

Build Windows Installers for Electron apps
MIT License
1.55k stars 259 forks source link

electron-winstaller depends on vulnerable lodash.template #510

Closed sparecycles closed 2 months ago

sparecycles commented 2 months ago 
# npm audit report

lodash.template  *
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
No fix available
node_modules/lodash.template
  electron-winstaller  >=2.1.0
  Depends on vulnerable versions of lodash.template
  node_modules/electron-winstaller
    @electron-forge/maker-squirrel  *
    Depends on vulnerable versions of electron-winstaller
    node_modules/@electron-forge/maker-squirrel

No fix available for lodash.template, can it depend on lodash@^4.17.21 instead?

ecnepsnai commented 2 months ago

This package only appears to use lodash is one spot: https://github.com/electron/windows-installer/blob/f6e76ae39b68c433a20547a0c1b762d372f4ff6d/src/index.ts#L134

Perhaps we should look at ways to remove this dependency all together.

continuous-auth[bot] commented 2 months ago

:tada: This issue has been resolved in version 5.3.1 :tada:

The release is available on:

Your semantic-release bot :package::rocket: