New vulnerabilities in used old dependencies: inquirer & lodash
ale4ko69 opened this issue · comments
npm audit
lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
No fix available
node_modules/vorpal/node_modules/inquirer/node_modules/lodash
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/vorpal/node_modules/inquirer
vorpal *
Depends on vulnerable versions of inquirer
node_modules/vorpal
anyone know a maintained fork of vorpal or something similar?
This is really disappointing. There are currently 17 open pull requests so clearly people are trying to help maintain this. But the project owner appears to have somewhat abandoned it. He even suggests someone "shoot him a note" to help maintain it, but there have been no updates in years. If anyone knows of a maintained fork that is actually published to npm
with a unique name, please post.