React-bootstrap-table2: Underscore version

Created on 16 Apr 2021  路  13Comments  路  Source: react-bootstrap-table/react-bootstrap-table2

Hello,

We are facing vulnerabilities with underscore library version, our security scan says that its version is outdated and suggests us to update it. Since we are not using underscore directly and it comes as a dependency from react-bootstrap-table-next we can't change it. We have been wondering if you still maintain react-bootstrap-table-next, because the last release is from almost a year ago and if you do will you bump underscore version in incoming releases?

Best Regards,
Nikolay

picture nvasilev98
👍8

Most helpful comment

There was an arbitrary code execution notice posted for this Underscore version today: https://www.npmjs.com/advisories/1674

Any chance of updates?

picture sricks on 6 May 2021
👍8

All 13 comments

I face the same problem. I saw that the underscore dependency is explicitly set to version 1.9.1 so it is not possible to use a newer version (even if I install it as dependency of my package).
Underscore has a newer version (1.12.1) which does not have the vulnerability. Do you plan to update it?
By the way, I'm using react-bootstrap-table-next's version 3, I'd be very happy if you can bump underscore version in both v4 and v3. But if it's only in v4 then that's good too, at least I'll have a way to solve my problem.

pieceofsoft picture pieceofsoft on 19 Apr 2021

I'm using Parcel 2 to build my React app and the current underscore 1.9.1 is breaking at runtime, because of Parcel's scope hoisting feature. I've checked that underscore 1.13.1 works fine with Parcel's scope hoisting functionality, so I'm really interested in this change.

bmmpt picture bmmpt on 6 May 2021

There was an arbitrary code execution notice posted for this Underscore version today: https://www.npmjs.com/advisories/1674

Any chance of updates?

sricks picture sricks on 6 May 2021
👍8

@AllenFang I'm trying to create a PR for this, but getting:
image

bmmpt picture bmmpt on 7 May 2021

Noticed that dependabot created a PR (#1612), bumped the version from 1.9.1 to 1.12.1

pieceofsoft picture pieceofsoft on 7 May 2021
1

Same problem here, when will it be fixed? thanx

pryan00 picture pryan00 on 7 May 2021
👀1

Same problem here.

KirillRas picture KirillRas on 9 May 2021

@AllenFang please merge the dependabot alert. Is this project on active development?

sushil-bigfuture picture sushil-bigfuture on 10 May 2021

@AllenFang please merge the dependabot alert. Is this project on active development?

@AllenFang any luck? Still Waiting 4 this merge

pryan00 picture pryan00 on 10 May 2021

This is a great project and is on active development, but it is super slow moving at times...

bmmpt picture bmmpt on 10 May 2021
😕3

@chunming-c, do you have permission to merge this? Looks nothing has been merged in since Aug 2020 :(

bmmpt picture bmmpt on 12 May 2021

i think we must give up using this package 馃憥

pryan00 picture pryan00 on 17 May 2021
😕1 👍1

anything new?

navot-eloomina picture navot-eloomina on 14 Jun 2021
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kamarajuPrathi picture kamarajuPrathi  路  4Comments
rsgoss picture rsgoss  路  4Comments
josefheld picture josefheld  路  3Comments
dillobird picture dillobird  路  3Comments
nskiro picture nskiro  路  4Comments