Closed mcaruso85 closed 3 years ago
I use this package for the company I work, and the blackduck scan report this error with underscore dependency. I can't consume this library if all blackduck scan issues are not fixed. That is why I changed the underscore library to last version
Hey!
Thanks for the heads up. Yeah, I suppose we can raise the upper bound on Underscore if it's compatible. The offending code isn't used by Mitm.js anyways, so there's no relevance to the security issue though. I see the diff includes changes to irrelevant parts of the package.json
, too, incl. the version. Do you want to undo everything than the few bytes that make up the Underscore's upper version bound (and probably change it to < 1.14
rather than the specific v1.13.1 patch version) or should I do it?
Hey moll, thanks for your reply.
Yes, you are correct, is not being used, but the scan report the issues if detect the library has a problem, so I would appreciate if it can be merged and release a new version.
I fixed the blank spaces as you specified, and the version with < 1.14.
Thanks moll
Martin
Thank you!
Do you mind also squashing your intermediate commits, removing the version upgrade and the .gitignore
addition, so the only change would actually be the Underscore upper bound?
Thank you in advance!
Hi moll, could you please check now? I think now is good.
Thanks !
Great. Thanks. I'll merge and release a new Mitm.js version as soon as possible.
Awesome. Thanks for your help !
Thanks again. I'll release a new patch version in a few minutes.
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized