Lodash Vulnerability #808
daniloporfirio
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
English:
Some of the project's dependencies, such as:
have dependencies on the Lodash library. In more recent versions, findup-sync has stopped using Lodash.
According to the United States National Vulnerability Database , versions of the Lodash library prior to 4.17.12 have a vulnerability related to Prototype Pollution.
The latest release of the jQuery-Mask-Plugin project, version v1.14.16, has dependencies on Lodash versions earlier than 4.17.12. This means we are exposed to Prototype Pollution when using jQuery-Mask-Plugin.
The master branch of this project has more updated libraries where we wouldn't face issues with the Lodash vulnerability. So, to use jQuery-Mask-Plugin and avoid any problems, it would be advisable to manually import the library from the master branch instead of using package managers.
Português:
Algumas dependencias do projeto como:
possuem dependências da biblioteca Lodash. Em versões mais recentes, findup-sync deixou de utilizar Lodash.
De acordo com a National Vulnerability Database dos Estados Unidos, versões da bibioteca Lodash anteriores a 4.17.12 possui vunerabilidade de Prototype Pollution.
O ultimo lançamento do projeto jQuery-Mask-Plugin na versão v1.14.16 possui dependências de Lodash com versões anteriores a 4.17.12. Isso implica em estarmos expostos a Prototype Pollution ao utilizar jQuery-Mask-Plugin.
A branch master desse projeto, se encontra com bibliotecas mais atualizadas onde não teríamos problemas com a vulnerabilidade de Lodash. No atual cenário, para utilizar jQuery-Mask-Plugin e evitar qualquer tipo de problema, seria interessante importar a biblioteca manualmente a partir da branch master ao invés de utilizar gerenciadores de pacotes.
Beta Was this translation helpful? Give feedback.
All reactions