You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 24, 2024. It is now read-only.
I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts.
This generates a vulnerability report for the package dependencies my project uses.
When the audit command is executed, it reports several warnings about lodash referenced by node-sass package.
The issue is mainly about node-sass using older/vulnerable version of lodash packages.
My question is if node-sass could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated.
Here is the output of auditjs:
------------------------------------------------------------
[158/1242] lodash.clonedeep 4.5.0 [VULNERABLE] 2 known vulnerabilities affecting installed version
[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.clonedeep
CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.
ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.clonedeep
------------------------------------------------------------
------------------------------------------------------------
[769/1242] lodash.assign 4.2.0 [VULNERABLE] 2 known vulnerabilities affecting installed version
[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.assign
CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.
ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.assign
------------------------------------------------------------
------------------------------------------------------------
[770/1242] lodash.mergewith 4.6.1 [VULNERABLE] 2 known vulnerabilities affecting installed version
[CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.
ID: 12e63c9c-b3f9-42d3-8541-dca1b72cad69
Details: https://ossindex.sonatype.org/vuln/12e63c9c-b3f9-42d3-8541-dca1b72cad69
Dependency path: /node-sass/lodash.mergewith
CWE-471: Modification of Assumed-Immutable Data (MAID)
The software does not properly protect an assumed-immutable element from being modified by an attacker.
ID: 0f23ff35-235f-404f-8118-bc1580673fd0
Details: https://ossindex.sonatype.org/vuln/0f23ff35-235f-404f-8118-bc1580673fd0
Dependency path: /node-sass/lodash.mergewith
------------------------------------------------------------
Hello,
I use auditjs (https://www.npmjs.com/package/auditjs) in my CI build scripts.
This generates a vulnerability report for the package dependencies my project uses.
When the audit command is executed, it reports several warnings about lodash referenced by node-sass package.
The issue is mainly about node-sass using older/vulnerable version of lodash packages.
My question is if node-sass could be updated with a newer version of lodash (4.17.5 or newer), so that these audit warnings could be eliminated.
Here is the output of auditjs: