lightstep-tracer-javascript latest version contains high severity vulnerability of underscore package

lightstep / lightstep-tracer-javascript

Lightstep distributed tracing library for Node.js and the browser

https://lightstep.com

MIT License

77 stars 66 forks source link

lightstep-tracer-javascript latest version contains high severity vulnerability of underscore package #274

Closed hitendra-ap closed 3 years ago

hitendra-ap commented 3 years ago

Hi, the latest version of lightstep-tracer-javascript contains the high severity vulnerability of package underscore.

The latest version of lightstep-tracer-javascript is using dependency of thrift with version 0.13.0, to fix the vulnerability issue this needs to be upgraded to the 0.14.1 version. Please have a look.

hitendra-ap commented 3 years ago

Hi, Any update on this ?

obecny commented 3 years ago

@hitendra-ap we know the issue and it is still under investigations, we will continue this week too, I will keep you posted.

mwear commented 3 years ago

@hitendra-ap thanks for the report. We've upgraded to thrift v0.14.1 and released v0.31.2 of the standard and no-protobuf versions.

Feel free to reopen this or open another issue if you need anything else!