New vulnerabilities in used old dependencies: inquirer & lodash

Question

New vulnerabilities in used old dependencies: inquirer & lodash

ale4ko69 opened this issue 3 years ago · comments

npm audit

lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
No fix available
node_modules/vorpal/node_modules/inquirer/node_modules/lodash
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/vorpal/node_modules/inquirer
vorpal *
Depends on vulnerable versions of inquirer
node_modules/vorpal

Torah Oglander · Answer 1 · Thu Sep 02 2021 01:05:17 GMT+0800 (China Standard Time)

Also running into this. I initially thought the issue was with Inquirer, but it appears they do not have lodash listed as a dependency, so perhaps Vorpal needs to upgrage lodash. Here is a screenshot of the audit output from npm.

Marco Wettstein · Answer 2 · Wed Jan 26 2022 05:08:31 GMT+0800 (China Standard Time)

anyone know a maintained fork of vorpal or something similar?

robross0606 · Answer 3 · Tue Aug 30 2022 11:25:14 GMT+0800 (China Standard Time)

This is really disappointing. There are currently 17 open pull requests so clearly people are trying to help maintain this. But the project owner appears to have somewhat abandoned it. He even suggests someone "shoot him a note" to help maintain it, but there have been no updates in years. If anyone knows of a maintained fork that is actually published to npm with a unique name, please post.