jashkenas/underscore

Security leak in _.template, please update

jgonggrijp opened this issue · 4 comments

We were notified of a security issue in _.template, which appears to have existed since Underscore version 1.3.2. The bug was fixed in version 1.12.1 and 1.13.0-2, which I just published. If using NPM, please upgrade to underscore@latest or underscore@preview.

@jgonggrijp where is the 1.12.1 tag?

@willdurand I intentionally postponed pushing that in order to give people who want to exploit the leak less to go on. I'll let you know when I push it.

thanks

@willdurand The tag is online now.