Skip to content

Vulnerability in underscore dependency #294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
matt-cooper opened this issue May 10, 2021 · 0 comments
Open

Vulnerability in underscore dependency #294

matt-cooper opened this issue May 10, 2021 · 0 comments

Comments

@matt-cooper
Copy link

Environment
Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project:

  • CLI: 7.2.0
  • Cross-platform modules: 7.3.0
  • Android Runtime: 7.0.1
  • iOS Runtime: 7.2.0
  • Plugin(s): 6.1.3

Describe the bug
The GitHub Dependabot reports that the "underscore" depenency of "nativescript-dev-appium" has a vulnerability:
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
More info at:
GHSA-cf4h-3jhx-xvhq

To Reproduce
Add nativescript-dev-appium to a NativeScript project.
Look in package-lock to see dependency chain:
"nativescript-dev-appium" version 6.1.3 uses
"frame-comparer": "^2.0.1" which uses
"blink-diff": "^1.0.13" which uses
"pngjs-image": "~0.11.5" which uses
"underscore": "1.7.0"

Expected behavior
Dependency chain using "underscore" version 1.12.1 or newer (as per the github advisory link above).

Sample project

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matt-cooper