grunt icon indicating copy to clipboard operation
grunt copied to clipboard
verified publisher icon gruntjs

Security issues

Open DrewRomanyk opened this issue 7 years ago • 1 comments

Due to grunt-legacy-util dependency, we are getting the the npm audit issue of underscore.string Regular expression denial of service vulnerability. I created an issue here for the dependency. But also creating one here to keep track of resolving this issue.

DrewRomanyk avatar Feb 21 '19 19:02 DrewRomanyk

This needs more attention. Don't let security lapses continue all the way from February into deep summer.

mcandre avatar Jul 18 '19 16:07 mcandre

The issue with underscore.string 3.3.4 was fixed in underscore.string 3.3.5.

The grunt-legacy-util package used it as "underscore.string": "~3.3.4" which allows automatic updates of patch versions. If you see a warning, remove package-lock.json and re-run npm install. No changes to grunt were needed.

In addition, https://github.com/gruntjs/grunt-legacy-util/issues/24 was closed 18 Aug 2020 by https://github.com/gruntjs/grunt-legacy-util/commit/a065a7df951a56e5c5e0965586e7d92f5bd8e39d, and released as grunt-legacy-util 2.0.0, which in turn is used by grunt 1.3.0.

Krinkle avatar Jun 10 '24 00:06 Krinkle