elm-community/elm-webpack-loader

elm-webpack-loader depending on vulnerable package (lodash)

nullbio opened this issue · 0 comments

nullbio commented

A recent vulnerability was found in older versions of lodash (the version that elm-webpack-loader seems to depend on transitively through node-elm-compiler). Result of npm audit:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ elm-webpack-loader [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ elm-webpack-loader > node-elm-compiler >                     │
│               │ find-elm-dependencies > lodash                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/782                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ elm-webpack-loader [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ elm-webpack-loader > node-elm-compiler > lodash              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/782                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 moderate severity vulnerabilities in 23118 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

I've also created an issue on the node-elm-compiler repo: rtfeldman/node-elm-compiler#92