Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update package.json - Security Fix #47

Closed
wants to merge 1 commit into from

Conversation

AlAyoub
Copy link

@AlAyoub AlAyoub commented Feb 25, 2021

Current versions of underscore have a a vulnerability. The most recent non-vulnerable version is 1.3.1 and that is why it is specified that way.

Current versions of underscore have a a vulnerability. The most recent non-vulnerable version is 1.3.1 and that is why it is specified that way.
@AlAyoub AlAyoub changed the title Update package.json Update package.json - Security Fix Feb 25, 2021
@pmuellr
Copy link
Member

pmuellr commented Feb 25, 2021

Current versions of underscore have a a vulnerability. The most recent non-vulnerable version is 1.3.1 and that is why it is specified that way.

Where did you get this information?

Downgrading that many releases seems ... bad. Seems like that was right before changes to _.template in 1.3.3, which seems ... not great.

I just looked at https://snyk.io/vuln/npm:underscore and ... looks clean to me!

The current version that should get picked up is 1.9.x

image

So ... this PR doesn't look like something that should be merged.

@pmuellr pmuellr closed this Feb 25, 2021
@AlAyoub
Copy link
Author

AlAyoub commented Feb 25, 2021

@pmuellr This issue opened up early this morning in Sonar Nexus.

I dug a little deeper and it appears the issue is that underscore is using a lodash script in underscore-min.js. This issue was recently resolved in Lodash 4.17.21, however, it looks like underscore will need to manually fix this issue since it's the actual script versus the lodash package.

https://github.com/lodash/lodash/issues/5083

With that said, even if underscore fixes the issue in the newest release, cfenv is restricting the version of underscore to 1.9.x which means it will not see the update as the fix would be in version 1.12.x.

Let me know if you need me to clarify or give more information, thanks.

@pmuellr
Copy link
Member

pmuellr commented Feb 25, 2021

Thanks for the info. A better fix will be to upgrade to some newer version of underscore, so let's wait for that to happen.

Can you provide a link to the Sonar Nexus vulnerability?

@AlAyoub
Copy link
Author

AlAyoub commented Feb 25, 2021

I can't post the actual nexus link because it's thru a corporation, only works internally...however, here is the CVE that is references 3 times.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337

Also, it's seeing the vulnerability in underscore-min.js.

@pmuellr
Copy link
Member

pmuellr commented Feb 25, 2021

Here's a PR that updates all the dependencies, but also bumps the major version since the CoffeeScript code generator now generates code that doesn't run in older Node.js runtimes.

PR #48

@AlAyoub
Copy link
Author

AlAyoub commented Mar 3, 2021

@pmuellr it turns out the security issue report by sonatype in the package underscore was a false alarm. Here are more details and my interaction with the maintainers at underscore:

jashkenas/underscore#2911

I apologize for any inconvenience and thank you for your time and effort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants