oc-template-react icon indicating copy to clipboard operation
oc-template-react copied to clipboard
verified publisher icon opencomponents

Security | Critical vulnerability in [email protected]

Open sforsberg opened this issue 4 years ago • 0 comments

Our dependency-check has notified us that the version of [email protected] has a CRITICAL security vulnerability that should no longer be used and instead upgrade to a patched version of lodash.

From this report: https://github.com/advisories/GHSA-35jh-r3h4-6jhm

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

npm ls lodash tree (oc-template-react-compiler):

├─┬ [email protected]
...
│ ├── [email protected]
...

Proposed Solution

Bump the version of lodash to the patched version 4.17.21.

Optionally, can we use a minor semver ^4.17.21 to keep this up to date without a release?

sforsberg avatar Oct 14 '21 13:10 sforsberg