search

stoplightio / http-spec

Utilities to normalize OpenAPI v2 and v3 objects for the Stoplight ecosystem.
https://stoplight.io
Apache License 2.0
20 stars 11 forks source link

Dependency on lodash.pick Introduces Vulnerabilities #263

Closed aikms-maker closed 9 months ago

aikms-maker commented 10 months ago

Hello,

I'm encountering a security concern in a project that uses the @stoplight/http-spec library, specifically relating to its dependency on lodash.pick. The concern is about vulnerabilities present in lodash.pick.

According to a comment on the GitHub Lodash repository, using individual method packages like lodash.pick seems not recommended. This is due to the potential lack of frequency in security updates and maintenance compared to the main lodash library.

To address this issue, could you consider replacing the usage of lodash.pick with the entire lodash library, or exploring other alternatives? This could mitigate security risks and enhance the safety of the library.

Thank you for considering this request.

Best regards,

lmmcampbell commented 10 months ago

Hi,

We are also encountering this security concern, and would appreciate the replacement of lodash.pick with the entire lodash library. Thanks!

daniel-albuschat commented 9 months ago

It is very concerning that fixing this security vulnerability, which is scored as "HIGH" severity, takes over a month, without any response from the maintainers. :-(