This repository has been archived by the owner on Jul 24, 2024. It is now read-only.
[Security] Vulnerability in lodash below 4.17.5 used by sass-graph@2 #2614
Comments
|
We welcome a PR.
…On Fri., 15 Mar. 2019, 6:24 am Lachlan Heywood, ***@***.***> wrote:
https://www.npmjs.com/advisories/782
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith'
which allow a malicious user to modify the prototype of Object via
{constructor: {prototype: {...}}} causing the addition or modification of
an existing property that will exist on all objects.
Remediation
Update to version 4.17.11 or later.
Resolution: update to ***@***.*** The currently used version of
sass-graph is the last at v2, so some testing will be needed to upgrade to
v3
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#2614>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAjZWINK3Inyusrq3WVR7ypLKDfoDMzvks5vWqHrgaJpZM4b1CWA>
.
|
Closed
|
Per lodash/lodash#4348, an upgrade is required to address a recent security vulnerability CVE-2019-10744 and now version >= 4.17.12 is recommended. This new vulnerability applies to a module used in this repo |
quetzaluz
pushed a commit
to quetzaluz/node-sass
that referenced
this issue
Jul 26, 2019
quetzaluz
added a commit
to quetzaluz/node-sass
that referenced
this issue
Jul 26, 2019
# for free
to subscribe to this conversation on GitHub.
Already have an account?
#.
https://www.npmjs.com/advisories/782
Resolution: update to sass-graph@latest. The currently used version of sass-graph is the last at v2, so some testing will be needed to upgrade to v3
I'm happy to investigate a PR, though would be helpful to understand the usage of sass-graph before I get too deep. Is there anything that has prevented the upgrade in the past?
The text was updated successfully, but these errors were encountered: