New vulnerabilities in used old dependencies: inquirer & lodash #355
Comments
|
Also running into this. I initially thought the issue was with Inquirer, but it appears they do not have lodash listed as a dependency, so perhaps Vorpal needs to upgrage lodash. Here is a screenshot of the audit output from npm. |
|
anyone know a maintained fork of vorpal or something similar? |
|
This is really disappointing. There are currently 17 open pull requests so clearly people are trying to help maintain this. But the project owner appears to have somewhat abandoned it. He even suggests someone "shoot him a note" to help maintain it, but there have been no updates in years. If anyone knows of a maintained fork that is actually published to |
|
If you wanna help just fork it yourself in place of expecting someone that moved on to work on it again, no? |
|
@sabbaticaldev, with respect, forking doesn't help the community. All it does is fragment things. If they have "moved on", the owner(s) of this repository should ask for contributors on this repository and work to transition it. Even if I fork the project, I cannot simply publish new versions of this artifact. I'd have to create a different name and then we just add community confusion. |
|
"dependencies": { Add dependencies explicitly and overrides them, in the package.json file |
|
@robross0606 there is no fragmenting if the original work stopped like the case here. There is just complaining and laziness. |
|
@sabbaticaldev The vitriol is unnecessary. It costs nothing to be nice. I respectfully disagree and the already existent forks of this project back it up. This project is also not properly marked as archived. While I'm at it, why not spend an ounce of that wasted hate and spin up your own fork? More fun to troll people instead? If you have nothing useful to contribute, get off the thread. |
|
It costs nothing for you to be nice too, @robross0606. Let me remind you that you started this with your condescending tone "This is really disappointing". You are not entitled to free work from free software, you know? In place of wasting so much of our energy with this useless discussion you could have done it the right way. Also a reminder to you that this here is real life. People get sick, people die, people change priorities in their life. |
|
How is "disappointing" condescending? Seriously? Disappointing is a feeling I have. I'm not telling you you're anything (like lazy) and nothing was sarcastic or spoken as if to a child. I'm saying I'm disappointed that this repo hasn't handled shutdown properly:
That's disappointing to me. There's nothing condescending there and nothing hurtful. Sorry, I don't know why you got feelings hurt by that, but you may want to look up the definition of "condescending". (Hint: That last sentence was condescending.) |
npm audit
lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
No fix available
node_modules/vorpal/node_modules/inquirer/node_modules/lodash
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/vorpal/node_modules/inquirer
vorpal *
Depends on vulnerable versions of inquirer
node_modules/vorpal
The text was updated successfully, but these errors were encountered: