Outdated underscore dependency reported with High security

[jaspenlind]

=== npm audit security report ===

Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidance

High Arbitrary Code Execution Package: underscore atched in: >=1.12.1 Dependency of: ssh-keygen Path: ssh-keygen > underscore More info: https://npmjs.com/advisories/1674

[micalevisk]

as this repo feels abandoned, I've forked and published it under @micalevisk/ssh-keygen package. It doesn't rely on underscore anymore. And it has a type definitions file :fire:

import keygen from '@micalevisk/ssh-keygen'

keygen({
  comment: 'john@doe.com',
  read: true
}, function (err, out) { // Optional callback. Will return a Promise if not provided
  if (err !== undefined) return console.log('There was a problem : ' + err)
  console.log('Done generating key pairs')
  console.log(out?.key)
  console.log(out?.pubKey)
})

 

---

Also, I'm planning to do the following (later):

• [x] refactor the whole code (using modern JS and support only node v12+)
• [ ] validate options properly (and in an really async manner)
• [ ] copy fixes from PRs that are open in this repo
• [ ] write automated tests
• [x] try to fix open Issues on this repo

(I'll update this message accordingly).

[ericvicenti]

Apologies for the late response and "High security" warning. There is no security impact here as we don't use underscore's template function.

And wow, I must have been 10 years dumber when I wrote this library, because it literally imports underscore for _.isUndefined, LOL