jjaybrown
commented
5 years ago @schickling not sure whether this is something you could help with?
Open jjaybrown opened 5 years ago
jjaybrown
commented
5 years ago @schickling not sure whether this is something you could help with?
Prototype Pollution Vulnerable module: lodash Introduced through: graphql-cli@3.0.12 Detailed paths Introduced through: @spherehq/database@0.13.1 › graphql-cli@3.0.12 › graphql-cli-prepare@1.4.19 › lodash@4.17.5 Remediation: No remediation path available. Vulnerable Functions lodash.safeGet
Overview lodash is a modern JavaScript utility library delivering modularity, performance, & extras.
Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an incomplete fix to CVE-2018-3721.