New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spectral-core: lodash.toPath security vulnerabilities? #2774

Open

W0nderMuffin opened this issue Feb 3, 2025 · 1 comment

Labels

dependencies triaged

W0nderMuffin commented Feb 3, 2025

Hey there is there any reason for using lodash.topath 4.5.2 despite newer lodash version is included in the spectral-core package?

...
    "lodash": "~4.17.21",
    "lodash.topath": "^4.5.2",
...

Blackduck detects that the lodash.topath dependency has some critical security findings because the version is lower than 4.17.21:

https://nvd.nist.gov/vuln/detail/CVE-2018-16487
https://nvd.nist.gov/vuln/detail/CVE-2018-3721
https://nvd.nist.gov/vuln/detail/CVE-2019-10744
https://nvd.nist.gov/vuln/detail/CVE-2019-1010266
https://nvd.nist.gov/vuln/detail/CVE-2020-8203
https://nvd.nist.gov/vuln/detail/CVE-2020-28500
https://nvd.nist.gov/vuln/detail/CVE-2021-23337

Best regards

The text was updated successfully, but these errors were encountered:

mnaumanali94 added dependencies triaged labels

Contributor

mnaumanali94 commented Feb 4, 2025 •

edited

Loading

We need to see if removing this dependency (lodash.topath) breaks something. If not, we can remove it and get rid of this vulnerability

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment