Lodash Vulnerability #808
                  
                    
                      daniloporfirio
                    
                  
                
                  started this conversation in
                General
              
            Replies: 0 comments
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment
  
        
    
Uh oh!
There was an error while loading. Please reload this page.
-
English:
Some of the project's dependencies, such as:
have dependencies on the Lodash library. In more recent versions, findup-sync has stopped using Lodash.
According to the United States National Vulnerability Database , versions of the Lodash library prior to 4.17.12 have a vulnerability related to Prototype Pollution.
The latest release of the jQuery-Mask-Plugin project, version v1.14.16, has dependencies on Lodash versions earlier than 4.17.12. This means we are exposed to Prototype Pollution when using jQuery-Mask-Plugin.
The master branch of this project has more updated libraries where we wouldn't face issues with the Lodash vulnerability. So, to use jQuery-Mask-Plugin and avoid any problems, it would be advisable to manually import the library from the master branch instead of using package managers.
Português:
Algumas dependencias do projeto como:
possuem dependências da biblioteca Lodash. Em versões mais recentes, findup-sync deixou de utilizar Lodash.
De acordo com a National Vulnerability Database dos Estados Unidos, versões da bibioteca Lodash anteriores a 4.17.12 possui vunerabilidade de Prototype Pollution.
O ultimo lançamento do projeto jQuery-Mask-Plugin na versão v1.14.16 possui dependências de Lodash com versões anteriores a 4.17.12. Isso implica em estarmos expostos a Prototype Pollution ao utilizar jQuery-Mask-Plugin.
A branch master desse projeto, se encontra com bibliotecas mais atualizadas onde não teríamos problemas com a vulnerabilidade de Lodash. No atual cenário, para utilizar jQuery-Mask-Plugin e evitar qualquer tipo de problema, seria interessante importar a biblioteca manualmente a partir da branch master ao invés de utilizar gerenciadores de pacotes.
Beta Was this translation helpful? Give feedback.
All reactions