search

pawelgalazka / tasksfile

Minimalistic task runner for node.js
MIT License
350 stars 21 forks source link

npm install: 3 vulnerabilities (2 low, 1 high) #116

Closed fnbk closed 2 years ago

fnbk commented 3 years ago

The current package taskfile@5.1.1 has a vulnerability, because the transitive dependency lodash@4.17.0 is used in @pawelgalazka/cli more details

Merging the dependabot PR should easily solve this issue.

$ npm audit
# npm audit report

lodash  <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
No fix available
node_modules/@pawelgalazka/cli/node_modules/lodash
  @pawelgalazka/cli  *
  Depends on vulnerable versions of lodash
  node_modules/@pawelgalazka/cli
    tasksfile  *
    Depends on vulnerable versions of @pawelgalazka/cli
    node_modules/tasksfile

3 vulnerabilities (2 low, 1 high)

Some issues need review, and may require choosing
a different dependency.
fnbk commented 3 years ago

@pawelgalazka What do you think? When could you do that?

henhal commented 3 years ago

@pawelgalazka Any updates? See https://github.com/pawelgalazka/cli/issues/11

henhal commented 2 years ago

Six months later and this still causes audit warnings for me, would you consider upgrading lodash via the dependabot PR and/or switching to caret notation for dependencies so that user can override it in their lock files? @pawelgalazka

binaryben commented 2 years ago

I like the simplicity of this, but it might be time to fork and keep it actively maintained. Audit warnings a year on are a problem.