Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.17.11 #3265

Closed
joshlrogers opened this issue Feb 13, 2019 · 1 comment · Fixed by karronoli/redpen#10 · May be fixed by Omrisnyk/npm-lockfiles#201

Comments

@joshlrogers
Copy link

joshlrogers commented Feb 13, 2019

Karma itself as well as the dependency combine-lists has a dependency on lodash < 4.17.11

Combine-lists repo seems unmaintained so might need to swap out behavior.

https://tools.cisco.com/security/center/viewAlert.x?alertId=59546

@joshlrogers joshlrogers changed the title combine-lists dependency depends on lodash < 4.7.11 karma & depdendency combine-lists depends on lodash < 4.7.11 Feb 13, 2019
@joshlrogers joshlrogers changed the title karma & depdendency combine-lists depends on lodash < 4.7.11 Security Vulnerability: karma & depdendency combine-lists depends on lodash < 4.7.11 Feb 13, 2019
@joshlrogers joshlrogers changed the title Security Vulnerability: karma & depdendency combine-lists depends on lodash < 4.7.11 Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.7.11 Feb 13, 2019
@joshlrogers joshlrogers changed the title Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.7.11 Security Vulnerability: karma & dendency combine-lists depends on lodash < 4.17.11 Feb 13, 2019
SteinRobert added a commit to SteinRobert/karma that referenced this issue Feb 20, 2019
Remove `combine-lists` as a dependency. Use `_.union` instead now.

Fixes karma-runner#3265
johnjbarton pushed a commit that referenced this issue Feb 20, 2019
Remove `combine-lists` as a dependency. Use `_.union` instead now.

Fixes #3265
@johnjbarton
Copy link
Contributor

Does npm audit pass at HEAD now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants