search

shadcn-ui / ui

Beautifully designed components that you can copy and paste into your apps. Accessible. Customizable. Open Source.
https://ui.shadcn.com
MIT License
62.83k stars 3.53k forks source link

[bug]: There is a vulnerability in shadcn-ui@0.8.0 > lodash.template@4.5.0 #3978

Open tar-aldev opened 2 weeks ago

tar-aldev commented 2 weeks ago

Describe the bug

When running pnpm audit Ican see that there is a vulnerabilty in lodash and lodash is used by shadcn-ui under the hood. high │ Command Injection in lodash
│ Package │ lodash.template │ Vulnerable versions │ <=4.5.0 │ Patched versions │ <0.0.0 │ Paths │ . > shadcn-ui@0.8.0 > lodash.template@4.5.0 │ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm

Affected component/components

shadcn-ui

How to reproduce

Install "shadcn-ui": "^0.8.0" using pnpm

Codesandbox/StackBlitz link

No response

Logs

No response

System Info

"shadcn-ui": "^0.8.0",

Before submitting

jimmyntu commented 1 week ago

Hi shadcn team, could you help to address this high security issue?