Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-23337 Command Injection in lodash #39014

Open
2 tasks done
benomatis opened this issue Jun 11, 2024 · 2 comments
Open
2 tasks done

CVE-2021-23337 Command Injection in lodash #39014

benomatis opened this issue Jun 11, 2024 · 2 comments
Labels
status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer type: bug An issue or pull request relating to a bug in Gatsby

Comments

@benomatis
Copy link
Contributor

Preliminary Checks

Description

A dependency of gatsby-plugin-offline, namely workbox-build has a dependency called lodash.template that has a vulnerability reported: GHSA-35jh-r3h4-6jhm

I logged a bug with Google workbook to no avail: GoogleChrome/workbox#3322

Here is a discussion that explains why lodash cannot fix this: lodash/lodash#5851

What could be done to fix this in gatsby?

Reproduction Link

N/A

Steps to Reproduce

This is the result of a GitHub dependabot alert

Expected Result

clear dependabot alert list

Actual Result

dependabot alert

Environment

System:
    OS: macOS 14.5
    CPU: (12) arm64 Apple M2 Pro
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
    Yarn: 1.22.19 - ~/.yarn/bin/yarn
    npm: 9.6.2 - ~/.nvm/versions/node/v18.12.1/bin/npm
  Browsers:
    Chrome: 125.0.6422.142
    Edge: 125.0.2535.92
    Safari: 17.5
  npmGlobalPackages:
    gatsby-cli: 5.11.0

Config Flags

No response

@benomatis benomatis added the type: bug An issue or pull request relating to a bug in Gatsby label Jun 11, 2024
@gatsbot gatsbot bot added the status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer label Jun 11, 2024
@daniel-stoian-lgp
Copy link

I have the same issue, gatsby-plugin-offline needs to update its workbox-build version

@benomatis
Copy link
Contributor Author

Something I missed when I opened this: workbox-build has fixed this in GoogleChrome/workbox#2522 by going to lodash directly. Please kindly update to workbox-build v6 on gatsby-plugin-offline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer type: bug An issue or pull request relating to a bug in Gatsby
Projects
None yet
Development

No branches or pull requests

2 participants