Security Vulnerability with Chutzpah using Lodash 4.17.15

mmanela / chutzpah

Chutzpah is an open source JavaScript test runner which enables you to run unit tests using QUnit, Jasmine, Mocha and TypeScript.

http://mmanela.github.io/chutzpah/

Apache License 2.0

550 stars 143 forks source link

Security Vulnerability with Chutzpah using Lodash 4.17.15 #797

Closed PramodMn007 closed 3 years ago

PramodMn007 commented 3 years ago

Security Vulnerability of Command Injection CVE-2021-23337 with Lodash. Chutzpah is still using 4.17.15 Lodash version.

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template. https://snyk.io/vuln/SNYK-JS-LODASH-1040724

Vulnerability is fixed by Lodash with the new version 4,17,21 , https://github.com/lodash/lodash/issues/5083

can Chutzpah be updated with the same?

PramodMn007 commented 3 years ago

I see a pull request with Lodash version bumped to 4.17.21. Any tentative dates to update Nuget package?

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

serhiypukhanov commented 3 years ago

Fixed in 4.4.11