New vulnerabilities in used old dependencies: inquirer & lodash #355
Comments
|
Also running into this. I initially thought the issue was with Inquirer, but it appears they do not have lodash listed as a dependency, so perhaps Vorpal needs to upgrage lodash. Here is a screenshot of the audit output from npm. |
|
anyone know a maintained fork of vorpal or something similar? |
|
This is really disappointing. There are currently 17 open pull requests so clearly people are trying to help maintain this. But the project owner appears to have somewhat abandoned it. He even suggests someone "shoot him a note" to help maintain it, but there have been no updates in years. If anyone knows of a maintained fork that is actually published to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
npm audit
lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
No fix available
node_modules/vorpal/node_modules/inquirer/node_modules/lodash
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/vorpal/node_modules/inquirer
vorpal *
Depends on vulnerable versions of inquirer
node_modules/vorpal
The text was updated successfully, but these errors were encountered: