Six vulnerabilities [3 high, 2 medium and 1 low severity] are introduced in @caporal/core:
1.Vulnerability CVE-2021-23337 (high severity) is detected in package lodash (versions:<4.17.21): https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054
2.Vulnerability CVE-2020-28500 (medium severity) is detected in package lodash (versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASH-1018905
3.Vulnerability CVE-2020-8203 (medium severity) is detected in package lodash (versions:<4.17.16):https://snyk.io/vuln/SNYK-JS-LODASH-567746
4.Vulnerability SNYK-JS-LODASH-608086 (high severity) is detected in package lodash (versions:<4.17.17):https://snyk.io/vuln/SNYK-JS-LODASH-608086
5.Vulnerability SNYK-JS-LODASH-590103 (high severity) is detected in package lodash (versions:<4.17.20):https://snyk.io/vuln/SNYK-JS-LODASH-590103
6.Vulnerability 'npmjs-advisories-1523 (low severity) is detected in package lodash (versions:>=0.1.0 <0.5.0-rc.1,>=0.5.0 <1.0.0-rc.1,>=1.0.0 <4.17.19):https://www.npmjs.com/advisories/1523
The above vulnerable package is referenced by @caporal/core via:
@caporal/core@2.0.2 ➔ lodash@4.17.15
If @caporal/core removes the vulnerable packages from the above versions, then its fixed version can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
In *_@caporal/core 2.0._**, you can kindly perform the following upgrades :
lodash 4.17.15 ➔~4.17.21;
_Note:
_lodash >4.17.21 has faxed vulnerabilities CVE-2021-23337,CVE-2020-28500,CVE-2020-8203,SNYK-JS-LODASH-608086,SNYK-JS-LODASH-590103 and npmjs-advisories-1523__
Thanks for your contributions to the npm ecosystem!
Hi @mattallty,
Issue
Six vulnerabilities [3 high, 2 medium and 1 low severity] are introduced in @caporal/core: 1.Vulnerability CVE-2021-23337 (high severity) is detected in package lodash (versions:<4.17.21): https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054 2.Vulnerability CVE-2020-28500 (medium severity) is detected in package lodash (versions:<4.17.21):https://snyk.io/vuln/SNYK-JS-LODASH-1018905 3.Vulnerability CVE-2020-8203 (medium severity) is detected in package lodash (versions:<4.17.16):https://snyk.io/vuln/SNYK-JS-LODASH-567746 4.Vulnerability SNYK-JS-LODASH-608086 (high severity) is detected in package lodash (versions:<4.17.17):https://snyk.io/vuln/SNYK-JS-LODASH-608086 5.Vulnerability SNYK-JS-LODASH-590103 (high severity) is detected in package lodash (versions:<4.17.20):https://snyk.io/vuln/SNYK-JS-LODASH-590103 6.Vulnerability 'npmjs-advisories-1523 (low severity) is detected in package lodash (versions:>=0.1.0 <0.5.0-rc.1,>=0.5.0 <1.0.0-rc.1,>=1.0.0 <4.17.19):https://www.npmjs.com/advisories/1523 The above vulnerable package is referenced by @caporal/core via:
@caporal/core@2.0.2 ➔ lodash@4.17.15
Solution
Since *_@caporal/core 2.0._ is transitively referenced by 32** downstream projects (e.g., @gltf-transform/cli 0.11.3 (latest version), sentenza-bitbucket 1.0.0-rc6 (latest version), @rjgf/create-rj-app 0.1.30 (latest version), kustodize 0.1.5 (latest version), @spica/cli 0.9.2 (latest version)),
If @caporal/core removes the vulnerable packages from the above versions, then its fixed version can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
In *_@caporal/core 2.0._**, you can kindly perform the following upgrades :
lodash 4.17.15 ➔~4.17.21
;_Note: _lodash >4.17.21 has faxed vulnerabilities CVE-2021-23337,CVE-2020-28500,CVE-2020-8203,SNYK-JS-LODASH-608086,SNYK-JS-LODASH-590103 and npmjs-advisories-1523__
Thanks for your contributions to the npm ecosystem!
Best regards, Paimon