Please update dependency underscore

Question

Please update dependency underscore

jfoclpf opened this issue 2 years ago · comments

João Pimentel Ferreira commented 2 years ago

@louischatriot please just update dependency underscore as it is tagged as high vulnerability

# npm audit report

nedb  *
Severity: high
Prototype Pollution - https://github.com/advisories/GHSA-339j-hqgx-qrrx
Depends on vulnerable versions of binary-search-tree
Depends on vulnerable versions of underscore
No fix available
node_modules/nedb

underscore  1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/underscore
  binary-search-tree  *
  Depends on vulnerable versions of underscore
  node_modules/binary-search-tree

3 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

João Pimentel Ferreira · Answer 1 · Wed Jun 15 2022 04:28:38 GMT+0800 (China Standard Time)

GHSA-cf4h-3jhx-xvhq

GrayHat · Answer 2 · Mon Jun 20 2022 13:42:51 GMT+0800 (China Standard Time)

Incase anyone is still looking for a solution try gray-nedb. I've upgraded some code.

NotAHolyPerson · Answer 3 · Thu Aug 11 2022 03:36:42 GMT+0800 (China Standard Time)

Incase anyone is still looking for a solution try gray-nedb. I've upgraded some code.

Thanks! Are you planning to do any updates further?

GrayHat · Answer 4 · Thu Aug 11 2022 22:01:25 GMT+0800 (China Standard Time)

Incase anyone is still looking for a solution try gray-nedb. I've upgraded some code.

Thanks! Are you planning to do any updates further?

I do want to properly maintain the code, can't guarantee it though.