[x3d-public] A new security advisory on lodash affects 6 of your repositories

Michalis Kamburelis michalis.kambi at gmail.com
Mon Jul 20 05:44:07 PDT 2020


These are automated GitHub security advisories. They may propose you a PR,
which you can apply, or say e.g. "ignore it but only for this version of X,
and remind me when version changes".

Regards,
Michalis

pon., 20 lip 2020 o 14:09 John Carlson <yottzumm at gmail.com> napisał(a):

> Note:  This security advisory applies to X3D sourceforge repository
> www.web3d.org/x3d/stylesheets/java/node.   There's no real fix at this
> time, because we are using recent java OpenJDK, and the secure versions of
> the nodejs java module are many versions back.  There's pull request for
> upgrading lodash to 4.17.19 in the nodejs java module (dependency found in
> package.json).  The pull request is here:
> https://github.com/joeferner/node-java/pull/502
>
> It's a low severity vulnerability.
>
> This should be something we should track. I will try to put a tracker in
> github.
>
> John
>
> On Sun, Jul 19, 2020 at 11:45 AM John Carlson <yottzumm at gmail.com> wrote:
>
>> FYI, there’s a security advisory against many of my repositories.   I
>> don’t see any patches yet.   While I don’t use lodash directly, some of my
>> dependencies may.
>>
>> ---------- Forwarded message ---------
>> From: GitHub <noreply at github.com>
>> Date: Sun, Jul 19, 2020 at 7:45 AM
>> Subject: A new security advisory on lodash affects 6 of your repositories
>> To: John Carlson <yottzumm at gmail.com>
>>
>>
>> A new security advisory was published
>> [image: GitHub] <https://github.com>
>> A new security advisory was published
>>
>> We found a vulnerable dependency in repositories you have security alert
>> access to.
>>
>> Security advisory GHSA-p6mc-m468-83gw
>> <https://github.com/advisories/GHSA-p6mc-m468-83gw> (low severity) affects
>> 6 repositories:
>> lodash (npm) used in 6 repositories
>> [image: @coderextreme] coderextreme/oratorsheart
>> View alert
>> <https://github.com/coderextreme/oratorsheart/network/alert/package-lock.json/lodash/open>
>> [image: @coderextreme] coderextreme/busyvine
>> View alert
>> <https://github.com/coderextreme/busyvine/network/alert/package-lock.json/lodash/open>
>> [image: @coderextreme] coderextreme/X3DJSONLD
>> View alert
>> <https://github.com/coderextreme/X3DJSONLD/network/alert/package-lock.json/lodash/open>
>> [image: @coderextreme] coderextreme/pythonSAI
>> View alert
>> <https://github.com/coderextreme/pythonSAI/network/alert/package-lock.json/lodash/open>
>> [image: @coderextreme] coderextreme/X3DESSAIL
>> View alert
>> <https://github.com/coderextreme/X3DESSAIL/network/alert/package-lock.json/lodash/open>
>> [image: @coderextreme] coderextreme/x3djson
>> View alert
>> <https://github.com/coderextreme/x3djson/network/alert/package-lock.json/lodash/open>
>> ------------------------------
>>
>> Email preferences
>> <https://github.com/settings/notifications#vulnerability-alerts-heading>
>> · Terms <https://help.github.com/articles/github-terms-of-service/> ·
>> Privacy <https://help.github.com/articles/github-privacy-policy/> · Sign
>> into GitHub <https://github.com/login>
>>
>> GitHub, Inc.
>> 88 Colin P Kelly Jr St.
>> <https://www.google.com/maps/search/88+Colin+P+Kelly+Jr+St.+San+Francisco,+CA+94107?entry=gmail&source=g>
>> San Francisco, CA 94107
>> <https://www.google.com/maps/search/88+Colin+P+Kelly+Jr+St.+San+Francisco,+CA+94107?entry=gmail&source=g>
>>
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20200720/6911adb0/attachment-0001.html>


More information about the x3d-public mailing list