Latest version of plato (1.7.0) using a vulnerable version of lodash (4.13.1)

[AlfredoPardo-zz]

Hi Everyone,

When running a custom static-code analysis tool, we've found that plato 1.7.0 has lodash 4.13.1 within its dependencies, which is known to have a "Prototype Pollution" vulnerability.

More information here

Thank you,

Alfredo Pardo

[JaneX8]

From: https://nodesecurity.io/advisories/577

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects.

Remediation
Update to version 4.17.5 or later.

@jsoverson Please fix this.

> npm audit


                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   plato [dev]

  Path            plato > lodash

  More info       https://nodesecurity.io/advisories/577

found 1 low severity vulnerability in 19605 scanned packages
  1 vulnerability requires manual review. See the full report for details.

[JaneX8]

@jsoverson any chance we can update the dependency to >=4.17.5?

[JaneX8]

@jsoverson sorry for the direct mentioning again. But any chance we can update the dependency to >=4.17.5 for the matter of security?

[ainthek]

+1 please

[jsoverson]

I totally understand the desire but I'm hesitant to accept and publish any changes because it makes this project appear maintained when it isn't. This project needs active maintainers and there aren't any. If there is a fork that has been generally accepted as the-next-best-repo then I can link to it in the readme.

[ainthek]

Shame. Just idea: Maybe write disclaimer “curently not maintained, only security patches” in readme and fix these at least ?

…

Sent from my iPhone

On 7 Feb 2019, at 18:12, Jarrod Overson ***@***.***> wrote: I totally understand the desire but I'm hesitant to accept and publish any changes because it makes this project appear maintained when it isn't. This project needs active maintainers and there aren't any. If there is a fork that has been generally accepted as the-next-best-repo then I can link to it in the readme. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.