Security leak in _.template, please update

jashkenas / underscore

JavaScript's utility _ belt

https://underscorejs.org

MIT License

27.3k stars 5.53k forks source link

Security leak in _.template, please update #2915

Closed jgonggrijp closed 3 years ago

jgonggrijp commented 3 years ago

We were notified of a security issue in _.template, which appears to have existed since Underscore version 1.3.2. The bug was fixed in version 1.12.1 and 1.13.0-2, which I just published. If using NPM, please upgrade to underscore@latest or underscore@preview.

willdurand commented 3 years ago

@jgonggrijp where is the 1.12.1 tag?

jgonggrijp commented 3 years ago

@willdurand I intentionally postponed pushing that in order to give people who want to exploit the leak less to go on. I'll let you know when I push it.

willdurand commented 3 years ago

thanks

jgonggrijp commented 3 years ago

@willdurand The tag is online now.