Closed mcaruso85 closed 3 years ago
mcaruso85
commented
3 years ago I use this package for the company I work, and the blackduck scan report this error with underscore dependency. I can't consume this library if all blackduck scan issues are not fixed. That is why I changed the underscore library to last version
moll
commented
3 years ago Hey!
Thanks for the heads up. Yeah, I suppose we can raise the upper bound on Underscore if it's compatible. The offending code isn't used by Mitm.js anyways, so there's no relevance to the security issue though. I see the diff includes changes to irrelevant parts of the package.json, too, incl. the version. Do you want to undo everything than the few bytes that make up the Underscore's upper version bound (and probably change it to < 1.14 rather than the specific v1.13.1 patch version) or should I do it?
mcaruso85
commented
3 years ago Hey moll, thanks for your reply.
Yes, you are correct, is not being used, but the scan report the issues if detect the library has a problem, so I would appreciate if it can be merged and release a new version.
I fixed the blank spaces as you specified, and the version with < 1.14.
Thanks moll
Martin
moll
commented
3 years ago Thank you!
Do you mind also squashing your intermediate commits, removing the version upgrade and the .gitignore addition, so the only change would actually be the Underscore upper bound?
Thank you in advance!
mcaruso85
commented
3 years ago Hi moll, could you please check now? I think now is good.
Thanks !
moll
commented
3 years ago Great. Thanks. I'll merge and release a new Mitm.js version as soon as possible.
mcaruso85
commented
3 years ago Awesome. Thanks for your help !
moll
commented
3 years ago Thanks again. I'll release a new patch version in a few minutes.
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized