Async: Medium severity vulnerability found in lodash

Created on 4 Feb 2019  ·  4Comments  ·  Source: caolan/async

snyk reports a Regular Expression Denial of Service vulnerability on one of your dependencies, lodash 4.17.5.

✗ Medium severity vulnerability found in lodash
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-JS-LODASH-73639
  Introduced through: [email protected]
  From: [email protected] > [email protected]
  Remediation:
    Your dependencies are out of date, otherwise you would be using a newer version of lodash. 
    Try deleting node_modules, reinstalling and running `snyk test` again. If the problem persists, one of your dependencies may be bundling outdated modules.

and

Analyzing npm dependencies for package.json
Querying vulnerabilities database...
Tested 255 dependencies for known vulnerabilities, found 3 vulnerabilities, 23 vulnerable paths.

? 2 vulnerabilities introduced via [email protected]
- info: https://snyk.io/package/npm/async/2.6.1

Thanks in advance!

picture dep
👍2

Most helpful comment

Updating lodash was no issue, I've published v2.6.2 with the update.

picture aearly on 12 Feb 2019
👍2 🎉1

All 4 comments

Bump

dscalzi picture dscalzi on 8 Feb 2019

We don't use that method so it doesn't apply to us. We removed lodash in
v3.0. I think there were some issues for us to migrate off that minor
version of lodash on the 2.x line of Async.

On Fri, Feb 8, 2019, 2:12 AM Daniel Scalzi <[email protected] wrote:

Bump


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/caolan/async/issues/1620#issuecomment-461784127, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAiEbmULsTIq6AwY5RHZJNcM60O1Lw7tks5vLWmygaJpZM4ah0sH
.

aearly picture aearly on 9 Feb 2019
👍1

I think a simple patch update would do the trick.

image

or set v3.0.0 as latest on npm, as currently it's just next and not shown by npm outdated

dscalzi picture dscalzi on 10 Feb 2019

Updating lodash was no issue, I've published v2.6.2 with the update.

aearly picture aearly on 12 Feb 2019
👍2 🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alfredoborrero picture alfredoborrero  ·  4Comments
ORESoftware picture ORESoftware  ·  3Comments
codeofsumit picture codeofsumit  ·  4Comments
parky128 picture parky128  ·  5Comments
bradens picture bradens  ·  6Comments