vijayant123
commented
5 years ago Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of node-thumbnail
Path node-thumbnail > lodash
More info https://nodesecurity.io/advisories/577
Closed vijayant123 closed 3 years ago
vijayant123
commented
5 years ago Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of node-thumbnail
Path node-thumbnail > lodash
More info https://nodesecurity.io/advisories/577
vijayant123
commented
5 years ago Hi @honza,
Although you have bumped the version of lodash in commit 7210247, you have forgotten to run npm audit to see if the issue was resolved. The issue still exists and following is the output of npm audit:
`
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance High Prototype Pollution
Package lodash
Patched in >=4.17.11
Dependency of node-thumbnail
Path node-thumbnail > lodash
More info https://nodesecurity.io/advisories/782
`
Also issue #40 seems pretty significant but the latest release does not include it, so that makes me believe that v 0.15.0 is not suitable for production deployment. Please fix this by making a release again.
Regards, Vijayant
Hi,
running npm audit for your package "node-thumbnail" points out that you are using are vulnerable version of lodash. Please update it.
Regards, Vijayant
output of npm audit:
Run npm update lodash --depth 3 to resolve 1 vulnerability
Low Prototype Pollution
Package lodash
Dependency of node-thumbnail
Path node-thumbnail > async > lodash
More info https://nodesecurity.io/advisories/577