A dependency in this package contains a CWE-471: Modification of Assumed-Immutable Data (MAID) vulnerability.
darrynten opened this issue · 2 comments
darrynten commented
DepShield opened up a PR on one of our projects: UnicornGlobal/avatars#51
It claims that a dependency in 2.0.0-beta.0 has a known vulnerability.
DepShield reports that this application's usage of lodash.debounce:4.0.8 results in the following vulnerability(s):
(CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
lodash.debounce:4.0.8 is a transitive dependency introduced by the following direct dependency:
• mocha-webpack:2.0.0-beta.0
└─ chokidar:2.0.4
└─ lodash.debounce:4.0.8
larixer commented
@darrynten This is really not a mocha-webpack
fault, but rather chokidar
. 2.0.4
is the latest version of chokidar
. You can use package.json -> resolutions
of your project to point it to latest lodash.debounce
that has the fix for this security issue and wait for next version of chokidar
larixer commented
@darrynten Looks like this security issue is not fixed yet in lodash.debounce
. lodash.debounce@4.0.8
is the latest version