node-jdbc icon indicating copy to clipboard operation
node-jdbc copied to clipboard
verified publisher icon CraZySacX

There are fatal vulnerabilities in the lodash software that jdbc indirectly depends on.

Open fengnian7 opened this issue 4 years ago • 2 comments

Hi, I have some questions to ask. In version 0.6.3 of the jdbc , there are fatal vulnerabilities in the dependent version 4.17.5 of lodash under java that jdbc directly depends on and under async of java. The two fatal vulnerabilities are CVE-2019-10744 and CVE-2020-36242 in version 4.17.5 of lodash. Do you have the plan to solve the vulnerabilities of lodash in the next version of jdbc? Thanks.

fengnian7 avatar Mar 21 '21 08:03 fengnian7

0.7.4 has been released back in January and lodash has been updated to 4.17.20.

CraZySacX avatar Mar 22 '21 13:03 CraZySacX

Thank you for your reply. lodash 4.17.20 version still has the two vulnerabilities but not 4.17.21 version

fengnian7 avatar Mar 27 '21 02:03 fengnian7