Closed tedyyu closed 1 year ago
@jdalton @jashkenas @falsyvalues @bnjmnt4n @blikblum...
Our security scanning team is behind us, since the underscore.js version 1.8.3 has got the below vulnerability:
CVE-2021-23358: Affected version of Underscore.js are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.
Can you please confirm if latest release of lodash is affected because of this? and how can we remediate this vulnerability?
Hi @tedyyu lodash doesn't have underscore as dependency.
@Arun-Rangasamy Currently we have no opened CVE in lodash https://security.snyk.io/package/npm/lodash
Hi @falsyvalues thanks for the clarification, additional question, if lodash doesn't have underscore library as a dependency, why it keeps showing up there triggering different security scanners :thinking: Is there any way to get rid of this message?
if lodash doesn't have underscore library as a dependency, why it keeps showing up there triggering different security scanners 🤔
This seems like a bug in the security scanner you are using, not lodash.
@jaceklubzinski as @Trott wrote this is a bug in the security scanners.
seen in https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.js
latest underscore version is v1.13.6. Is it possible that this is somehow not updated when generating the production js file?
another question: I assume lodash has no dependency on underscore, right? "Base on" just means the API compatibility. Correct me if I'm wrong.