zinserjan/mocha-webpack

A dependency in this package contains a CWE-471: Modification of Assumed-Immutable Data (MAID) vulnerability.

darrynten opened this issue · 2 comments

DepShield opened up a PR on one of our projects: UnicornGlobal/avatars#51

It claims that a dependency in 2.0.0-beta.0 has a known vulnerability.

DepShield reports that this application's usage of lodash.debounce:4.0.8 results in the following vulnerability(s):

(CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

lodash.debounce:4.0.8 is a transitive dependency introduced by the following direct dependency:

• mocha-webpack:2.0.0-beta.0
        └─ chokidar:2.0.4
              └─ lodash.debounce:4.0.8

@darrynten This is really not a mocha-webpack fault, but rather chokidar. 2.0.4 is the latest version of chokidar. You can use package.json -> resolutions of your project to point it to latest lodash.debounce that has the fix for this security issue and wait for next version of chokidar

@darrynten Looks like this security issue is not fixed yet in lodash.debounce. lodash.debounce@4.0.8 is the latest version