CVE-2021-23337 in transitive dependency lodash
greyscaled opened this issue · 1 comments
greyscaled commented
all-contributors-cli
version: all-contributors-cli@6.20.0node
version: N/Anpm
(oryarn
) version: N/A
Relevant code or config
What you did:
yarn audit
yarn why lodash
What happened:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Command Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.21 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ all-contributors-cli │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ all-contributors-cli > inquirer > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1673 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Command Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.21 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ all-contributors-cli │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ all-contributors-cli > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1673 │
└───────────────┴──────────────────────────────────────────────────────────────┘
yarn why v1.22.10
[1/4] Why do we have the module "lodash"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "lodash@4.17.20"
info Reasons this module exists
- "all-contributors-cli" depends on it
- Hoisted from "all-contributors-cli#lodash"
- Hoisted from "all-contributors-cli#inquirer#lodash"
info Disk size without dependencies: "4.86MB"
info Disk size with unique dependencies: "4.86MB"
info Disk size with transitive dependencies: "4.86MB"
info Number of shared dependencies: 0
Done in 0.23s.
Reproduction repository:
https://github.com/all-contributors/all-contributors-cli
Problem description:
CVE-2021-23337 in transitive dependency lodash (through inquirer)
Suggested solution:
Upgrade inquirer to a version with lodash >=4.17.21
all-contributors-release-bot commented
🎉 This issue has been resolved in version 6.20.1 🎉
The release is available on:
Your semantic-release bot 📦🚀