rolandtoth
commented
5 years ago Thanks, fixed.
No open alerts on lodash were found in package-lock.json. Alerts may have been resolved and deleted by recent pushes to this repository.
Closed BernhardBaumrock closed 5 years ago
rolandtoth
commented
5 years ago Thanks, fixed.
No open alerts on lodash were found in package-lock.json. Alerts may have been resolved and deleted by recent pushes to this repository.
BernhardBaumrock
commented
5 years ago Another one: @rolandtoth
Do you want me to report this alerts or do you get them yourself from github?
rolandtoth
commented
5 years ago I don't see this. Anyway I made "Automated security fixes" to ON, let us see if it helps in the future.
Just got this security alert from github:
lodash Open GitHub opened this alert 16 hours ago 1 lodash vulnerability found in …/AdminOnSteroids/package-lock.json 16 hours ago Remediation Upgrade lodash to version 4.17.13 or later. For example:
"dependencies": { "lodash": ">=4.17.13" } or… "devDependencies": { "lodash": ">=4.17.13" } Always verify the validity and compatibility of suggestions with your codebase.
Details CVE-2019-10744 More information high severity Vulnerable versions: < 4.17.13 Patched version: 4.17.13 Affected versions of lodash are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.