lodash
Open GitHub opened this alert on Aug 19
1 lodash vulnerability found in …/files/package.json on Aug 19
Remediation
Upgrade lodash to version 4.17.5 or later. For example:
"dependencies": {
"lodash": ">=4.17.5"
}
or…
"devDependencies": {
"lodash": ">=4.17.5"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2018-3721 More information
high severity
Vulnerable versions: < 4.17.5
Patched version: 4.17.5
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
This vulnerability does not affect the core react-native-desktop library and only affects project generation due to yeoman-generator. I have fixed this here which is currently blocked by #422.
lodash Open GitHub opened this alert on Aug 19 1 lodash vulnerability found in …/files/package.json on Aug 19 Remediation Upgrade lodash to version 4.17.5 or later. For example:
"dependencies": { "lodash": ">=4.17.5" } or… "devDependencies": { "lodash": ">=4.17.5" } Always verify the validity and compatibility of suggestions with your codebase.
Details CVE-2018-3721 More information high severity Vulnerable versions: < 4.17.5 Patched version: 4.17.5 lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
@MaxRis @vkjr
fyi @corpetty