Security vulnerabilities in lodash and npm-run with available patches
inlightmedia opened this issue · 6 comments
Describe the bug
npm-run 4.1.2 results in a security vulnerability. Can we update this to npm-run 5.0.1? The sync-exec sub-dependency is the issue. This library (sync-exec) was essentially deprecated and absorbed into npm itself. The proposed solution is to replace the library calls with the npm native solution. npm-run has removed the vulnerable dependency but with a breaking change. It would be good to see where you are using npm-run and see if this can be updated safely.
Also, we need to update lodash 4.17.11 to 4.17.15 to remove the lodash security vulnerability in lodash 4.17.11
To Reproduce
- run npm audit in any project that uses graphql-cli
Expected behavior
No security vulnerabilities.
Screenshots
N/A
Versions (please complete the following information):
"graphql-cli": "3.0.14",
Other Context:
https://www.npmjs.com/advisories/310
The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of sync-exec to child_process.execSync()
I could submit a PR with the updates to the package versions but I'm wondering if there is a reason it has not been done yet.
Hi
My suggestion would be to update to latest version (beta)
Current published version (3.0.14) has one critical and two high:
👍 I meant to give an update on the audit status of the latest stable version.
@lorensr We are working on the 4.x at the moment and no longer maintain previous version as it is different codebase. issues can still be fixed by locking your version. NPM can fix that
Looks like the beta was removed from the git repo and there is only an alpha now. The beta version on npm is in the 2.x.x range. How stable is the alpha?