Lodash Vulnerability #808
daniloporfirio
started this conversation in
General
Lodash Vulnerability
#808
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
English:
Some of the project's dependencies, such as:
have dependencies on the Lodash library. In more recent versions, findup-sync has stopped using Lodash.
According to the United States National Vulnerability Database , versions of the Lodash library prior to 4.17.12 have a vulnerability related to Prototype Pollution.
The latest release of the jQuery-Mask-Plugin project, version v1.14.16, has dependencies on Lodash versions earlier than 4.17.12. This means we are exposed to Prototype Pollution when using jQuery-Mask-Plugin.
The master branch of this project has more updated libraries where we wouldn't face issues with the Lodash vulnerability. So, to use jQuery-Mask-Plugin and avoid any problems, it would be advisable to manually import the library from the master branch instead of using package managers.
Português:
Algumas dependencias do projeto como:
possuem dependências da biblioteca Lodash. Em versões mais recentes, findup-sync deixou de utilizar Lodash.
De acordo com a National Vulnerability Database dos Estados Unidos, versões da bibioteca Lodash anteriores a 4.17.12 possui vunerabilidade de Prototype Pollution.
O ultimo lançamento do projeto jQuery-Mask-Plugin na versão v1.14.16 possui dependências de Lodash com versões anteriores a 4.17.12. Isso implica em estarmos expostos a Prototype Pollution ao utilizar jQuery-Mask-Plugin.
A branch master desse projeto, se encontra com bibliotecas mais atualizadas onde não teríamos problemas com a vulnerabilidade de Lodash. No atual cenário, para utilizar jQuery-Mask-Plugin e evitar qualquer tipo de problema, seria interessante importar a biblioteca manualmente a partir da branch master ao invés de utilizar gerenciadores de pacotes.
Beta Was this translation helpful? Give feedback.
All reactions