New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong version in lodash.pick vulnerability report CVE-2020-8203 #5809
Comments
Same for |
Okay, as workaround if you are using
The solution above is in case lodash is being referenced as a sub-dependecy. If you are referencing directly any of the affected packages through
or:
|
It's working thank you for npm I just add
in package.json |
- override incorrect lodash.pick vulnerability lodash/lodash#5809
- override incorrect lodash.pick vulnerability lodash/lodash#5809
Do I understand correctly that the workaround for this is to replace |
Please, if you have any better solution to this workaround feel free to share it instead of complaining. |
I'n not complaining; I'm asking for clarification. I'm trying to understand the nature of the problem - and whether the workaround fixes the underlying issue. The reason I ask is that the fix that went into 4.17.19 doesn't actually affect the pick utlilty at all. I don't want to apply a fix if it doesn't actually address the problem. I'm currently trying to see what I can learn from the other fixed modules (e.g. lodash-es). Will update when I have more concrete information. |
@causaly-mark I think this is because the per-method packages are not maintained/released anymore. See this other, similar issue about another method package: #5808 |
So to follow up on my previous comment:
|
Hi,
It appears that a vulnerability with High severity has been reported with wrong patching version.
Currently latest release is 4.4.0 but for CVE-2020-8203 the patched version is 4.17.19.
For us
pnpm audit
is failing because of thisThe text was updated successfully, but these errors were encountered: