Underscore version - Githubissues

react-bootstrap-table / react-bootstrap-table2

Next Generation of react-bootstrap-table

https://react-bootstrap-table.github.io/react-bootstrap-table2/

MIT License

1.26k stars 432 forks source link

Underscore version #1605

Open nvasilev98 opened 3 years ago

nvasilev98 commented 3 years ago

Hello,

We are facing vulnerabilities with underscore library version, our security scan says that its version is outdated and suggests us to update it. Since we are not using underscore directly and it comes as a dependency from react-bootstrap-table-next we can't change it. We have been wondering if you still maintain react-bootstrap-table-next, because the last release is from almost a year ago and if you do will you bump underscore version in incoming releases?

Best Regards, Nikolay

pieceofsoft commented 3 years ago

I face the same problem. I saw that the underscore dependency is explicitly set to version 1.9.1 so it is not possible to use a newer version (even if I install it as dependency of my package). Underscore has a newer version (1.12.1) which does not have the vulnerability. Do you plan to update it? By the way, I'm using react-bootstrap-table-next's version 3, I'd be very happy if you can bump underscore version in both v4 and v3. But if it's only in v4 then that's good too, at least I'll have a way to solve my problem.

bmmpt commented 3 years ago

I'm using Parcel 2 to build my React app and the current underscore 1.9.1 is breaking at runtime, because of Parcel's scope hoisting feature. I've checked that underscore 1.13.1 works fine with Parcel's scope hoisting functionality, so I'm really interested in this change.

sricks commented 3 years ago

There was an arbitrary code execution notice posted for this Underscore version today: https://www.npmjs.com/advisories/1674

Any chance of updates?

bmmpt commented 3 years ago

@AllenFang I'm trying to create a PR for this, but getting:

pieceofsoft commented 3 years ago

Noticed that dependabot created a PR (#1612), bumped the version from 1.9.1 to 1.12.1

ahmetemrebasakcioglu commented 3 years ago

Same problem here, when will it be fixed? thanx

KirillRas commented 3 years ago

Same problem here.

bigfuture-test commented 3 years ago

@AllenFang please merge the dependabot alert. Is this project on active development?

ahmetemrebasakcioglu commented 3 years ago

@AllenFang please merge the dependabot alert. Is this project on active development?

@AllenFang any luck? Still Waiting 4 this merge

bmmpt commented 3 years ago

This is a great project and is on active development, but it is super slow moving at times...

bmmpt commented 3 years ago

@chunming-c, do you have permission to merge this? Looks nothing has been merged in since Aug 2020 :(

ahmetemrebasakcioglu commented 3 years ago

i think we must give up using this package 👎

navot-eloomina commented 3 years ago

anything new?

Akshaypal8 commented 2 years ago

Hello,

We are facing vulnerabilities with underscore library version, our security scan says that its version is outdated and suggests us to update it. Since we are not using underscore directly and it comes as a dependency from react-bootstrap-table-next we can't change it. We have been wondering if you still maintain react-bootstrap-table-next, because the last release is from almost a year ago and if you do will you bump underscore version in incoming releases?

Best Regards, Nikolay

I am also facing the same issue, is any update regarding the same?

subhodeepg commented 2 years ago

Any updates on this merge ?

shailesh-patole commented 2 years ago

Hi, any update on the merge?

v-ashrirao commented 2 years ago

Hi Team, do we have update for this issue?

maurojeandet commented 2 years ago

Hi Team, do we have any updates for this issue? Still getting the vulnerability issue

ethanbonin commented 2 years ago

For those using yarn & dealing with this vulnerability, you can use resolutions in your package.json.

You are relying on an unmaintained but working package and one of its dependencies got upgraded. You know the upgrade would not break things and you also don’t want to fork the package you are relying on, just to update a minor dependency.

"resolutions": {
   "react-bootstrap-table-next/underscore": "1.13.0-2"
},

then run yarn install to fix the dependencies.

lukekoch commented 1 year ago

Since this repository seems to be no longer maintained, a version fix is unlikely. There have been efforts to fork the repository and maintain the fork (or at least bump the versions of dependencies as needed). The most active one I have found yet is: https://github.com/BonnierNews/react-bootstrap-table2

The maintainer provides a short summary on how to replace the dependency for react-bootstrap-table-next in your package.json making this viable for use with npm as well.

mageshn18 commented 1 month ago

You can use overrides in package.json to use the underscore package with safe version.

https://github.com/advisories/GHSA-cf4h-3jhx-xvhq

"overrides": { "underscore": "1.12.1" },