search

oauthjs / express-oauth-server

Complete, compliant and well tested module for implementing an OAuth2 Server/Provider with express in node.js
MIT License
484 stars 384 forks source link

Update Lodash to 4.17.21 #143

Open adriendomoison opened 3 years ago

adriendomoison commented 3 years ago

To avoid critical security issues, lodash need to be updated to 4.17.21 urgently.

https://snyk.io/test/npm/lodash/4.17.20

spuxx1701 commented 2 years ago

Any news on this?

ybhwang commented 2 years ago

Same.

$ npm audit
lodash  <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
No fix available
node_modules/lodash
  oauth2-server  <=3.1.1
  Depends on vulnerable versions of lodash
  node_modules/oauth2-server
    express-oauth-server  *
    Depends on vulnerable versions of oauth2-server
    node_modules/express-oauth-server

3 vulnerabilities (2 high, 1 critical)

Some issues need review, and may require choosing
a different dependency.