[x3d-public] A new security advisory on lodash affects 6 of your repositories
John Carlson
yottzumm at gmail.com
Mon Jul 20 05:05:41 PDT 2020
Note: This security advisory applies to X3D sourceforge repository
www.web3d.org/x3d/stylesheets/java/node. There's no real fix at this
time, because we are using recent java OpenJDK, and the secure versions of
the nodejs java module are many versions back. There's pull request for
upgrading lodash to 4.17.19 in the nodejs java module (dependency found in
package.json). The pull request is here:
https://github.com/joeferner/node-java/pull/502
It's a low severity vulnerability.
This should be something we should track. I will try to put a tracker in
github.
John
On Sun, Jul 19, 2020 at 11:45 AM John Carlson <yottzumm at gmail.com> wrote:
> FYI, there’s a security advisory against many of my repositories. I
> don’t see any patches yet. While I don’t use lodash directly, some of my
> dependencies may.
>
> ---------- Forwarded message ---------
> From: GitHub <noreply at github.com>
> Date: Sun, Jul 19, 2020 at 7:45 AM
> Subject: A new security advisory on lodash affects 6 of your repositories
> To: John Carlson <yottzumm at gmail.com>
>
>
> A new security advisory was published
> [image: GitHub] <https://github.com>
> A new security advisory was published
>
> We found a vulnerable dependency in repositories you have security alert
> access to.
>
> Security advisory GHSA-p6mc-m468-83gw
> <https://github.com/advisories/GHSA-p6mc-m468-83gw> (low severity) affects
> 6 repositories:
> lodash (npm) used in 6 repositories
> [image: @coderextreme] coderextreme/oratorsheart
> View alert
> <https://github.com/coderextreme/oratorsheart/network/alert/package-lock.json/lodash/open>
> [image: @coderextreme] coderextreme/busyvine
> View alert
> <https://github.com/coderextreme/busyvine/network/alert/package-lock.json/lodash/open>
> [image: @coderextreme] coderextreme/X3DJSONLD
> View alert
> <https://github.com/coderextreme/X3DJSONLD/network/alert/package-lock.json/lodash/open>
> [image: @coderextreme] coderextreme/pythonSAI
> View alert
> <https://github.com/coderextreme/pythonSAI/network/alert/package-lock.json/lodash/open>
> [image: @coderextreme] coderextreme/X3DESSAIL
> View alert
> <https://github.com/coderextreme/X3DESSAIL/network/alert/package-lock.json/lodash/open>
> [image: @coderextreme] coderextreme/x3djson
> View alert
> <https://github.com/coderextreme/x3djson/network/alert/package-lock.json/lodash/open>
> ------------------------------
>
> Email preferences
> <https://github.com/settings/notifications#vulnerability-alerts-heading>
> · Terms <https://help.github.com/articles/github-terms-of-service/> ·
> Privacy <https://help.github.com/articles/github-privacy-policy/> · Sign
> into GitHub <https://github.com/login>
>
> GitHub, Inc.
> 88 Colin P Kelly Jr St.
> <https://www.google.com/maps/search/88+Colin+P+Kelly+Jr+St.+San+Francisco,+CA+94107?entry=gmail&source=g>
> San Francisco, CA 94107
> <https://www.google.com/maps/search/88+Colin+P+Kelly+Jr+St.+San+Francisco,+CA+94107?entry=gmail&source=g>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20200720/1660e1b4/attachment-0001.html>
More information about the x3d-public
mailing list