Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.17.11 #3265

Closed
joshlrogers opened this issue Feb 13, 2019 · 1 comment · Fixed by karronoli/redpen#10 · May be fixed by Omrisnyk/npm-lockfiles#201
Closed

Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.17.11 #3265

joshlrogers opened this issue Feb 13, 2019 · 1 comment · Fixed by karronoli/redpen#10 · May be fixed by Omrisnyk/npm-lockfiles#201

Comments

@joshlrogers
Copy link

joshlrogers commented Feb 13, 2019
edited
Loading

Karma itself as well as the dependency combine-lists has a dependency on lodash < 4.17.11

Combine-lists repo seems unmaintained so might need to swap out behavior.

https://tools.cisco.com/security/center/viewAlert.x?alertId=59546
@joshlrogers joshlrogers changed the title combine-lists dependency depends on lodash < 4.7.11 karma & depdendency combine-lists depends on lodash < 4.7.11 Feb 13, 2019
@joshlrogers joshlrogers changed the title karma & depdendency combine-lists depends on lodash < 4.7.11 Security Vulnerability: karma & depdendency combine-lists depends on lodash < 4.7.11 Feb 13, 2019
@joshlrogers joshlrogers changed the title Security Vulnerability: karma & depdendency combine-lists depends on lodash < 4.7.11 Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.7.11 Feb 13, 2019
@joshlrogers joshlrogers changed the title Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.7.11 Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.17.11 Feb 13, 2019
This was referenced Feb 19, 2019
Closed
Closed
SteinRobert added a commit to SteinRobert/karma that referenced this issue Feb 20, 2019
@SteinRobert
fix: remove vulnerable dependency combine-lists
da48346 
Remove `combine-lists` as a dependency. Use `_.union` instead now.

Fixes karma-runner#3265
@SteinRobert SteinRobert mentioned this issue Feb 20, 2019
Merged
johnjbarton pushed a commit that referenced this issue Feb 20, 2019
@SteinRobert @johnjbarton
fix: remove vulnerable dependency combine-lists (#3273)
c43f584 
Remove `combine-lists` as a dependency. Use `_.union` instead now.

Fixes #3265
@johnjbarton
Copy link
Contributor

Does npm audit pass at HEAD now?

@karronoli karronoli mentioned this issue Aug 16, 2022
Merged
@Omrisnyk Omrisnyk mentioned this issue Oct 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@johnjbarton @joshlrogers