Async: Medium severity vulnerability found in lodash

Created on 4 Feb 2019 · 4Comments · Source: caolan/async

snyk reports a Regular Expression Denial of Service vulnerability on one of your dependencies, lodash 4.17.5.

✗ Medium severity vulnerability found in lodash
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-JS-LODASH-73639
  Introduced through: [email protected]
  From: [email protected] > [email protected]
  Remediation:
    Your dependencies are out of date, otherwise you would be using a newer version of lodash. 
    Try deleting node_modules, reinstalling and running `snyk test` again. If the problem persists, one of your dependencies may be bundling outdated modules.

and

Analyzing npm dependencies for package.json
Querying vulnerabilities database...
Tested 255 dependencies for known vulnerabilities, found 3 vulnerabilities, 23 vulnerable paths.

? 2 vulnerabilities introduced via [email protected]
- info: https://snyk.io/package/npm/async/2.6.1

Thanks in advance!

Source

dep

👍2

Most helpful comment

Updating lodash was no issue, I've published v2.6.2 with the update.

aearly on 12 Feb 2019

👍2 🎉1

All 4 comments

Bump

dscalzi on 8 Feb 2019

We don't use that method so it doesn't apply to us. We removed lodash in
v3.0. I think there were some issues for us to migrate off that minor
version of lodash on the 2.x line of Async.

On Fri, Feb 8, 2019, 2:12 AM Daniel Scalzi <[email protected] wrote:

Bump

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/caolan/async/issues/1620#issuecomment-461784127, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAiEbmULsTIq6AwY5RHZJNcM60O1Lw7tks5vLWmygaJpZM4ah0sH
.