WS-2018-0210 Low Severity Vulnerability detected by WhiteSource
mend-bolt-for-github opened this issue · 1 comments
WS-2018-0210 - Low Severity Vulnerability
Vulnerable Library - lodash-3.10.1.tgz
The modern build of lodash modular utilities.
Library home page: http://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz
Path to dependency file: /ai-lab/package.json
Path to vulnerable library: /tmp/git/ai-lab/node_modules/json-rpc2/node_modules/lodash/package.json
Dependency Hierarchy:
- @theia/go-0.3.17.tgz (Root Library)
- go-language-server-0.1.7.tgz
- json-rpc2-1.0.2.tgz
- ❌ lodash-3.10.1.tgz (Vulnerable Library)
- json-rpc2-1.0.2.tgz
- go-language-server-0.1.7.tgz
Found in HEAD commit: 082fbcbc8c2ef8fc2f905bd9e108a64bbeabbbfe
Vulnerability Details
In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2018-11-25
URL: WS-2018-0210
Suggested Fix
Type: Change files
Origin: lodash/lodash@90e6199
Release Date: 2018-08-31
Fix Resolution: Replace or update the following files: lodash.js, test.js
Step up your Open Source Security Game with WhiteSource here
Resolved, not using actually Theia (/ai-lab/package.json is not used)