Skip to content
This repository has been archived by the owner on Oct 26, 2020. It is now read-only.

security issue in depenendency lodash #14

Closed
PieterGit opened this issue Aug 22, 2019 · 3 comments
Closed

security issue in depenendency lodash #14

PieterGit opened this issue Aug 22, 2019 · 3 comments

Comments

@PieterGit
Copy link
Contributor

Can you please fix this. I try to integrate minimed-connect-to-nightscout into Nightscout and get:

$ npm audit
npm WARN audit Both npm-shrinkwrap.json and package-lock.json exist, using npm-shrinkwrap.json.
=== npm audit security report ===

# Run  npm update lodash --depth 2  to resolve 1 vulnerability

  High            Prototype Pollution

  Package         lodash

  Dependency of   minimed-connect-to-nightscout

  Path            minimed-connect-to-nightscout > lodash

  More info       https://nodesecurity.io/advisories/1065

Can you upgrade lodash and confirm it works with minimed-connect-to-nightscout and then release a 1.3.1?
@PieterGit
Copy link
Contributor Author

@szymjaw or @mddub: can you fix this so we can release a version of minimed-connect-to-nightscout without known security issues integrated in Nightscout?

@PieterGit PieterGit mentioned this issue Aug 22, 2019
Merged
@mddub
Copy link
Owner

mddub commented Aug 23, 2019

Fixed in 59f06ff. I just pushed v1.3.1 to npm. I can't verify that things still work, but I'm assuming so, since only the patch version changed for lodash, and the mocha dependency is only for tests, which still pass.

@mddub mddub closed this as completed Aug 23, 2019
@PieterGit
Copy link
Contributor Author

@mddub Thanks for the quick response. Integrated version 1.3.1 in nightscout/cgm-remote-monitor#4915 for inclusion within Nightscout.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mddub @PieterGit