Vulnerability in underscore dependency #294
Description
Environment
Provide version numbers for the following components (information can be retrieved by running tns info in your project folder or by inspecting the package.json of the project:
- CLI: 7.2.0
- Cross-platform modules: 7.3.0
- Android Runtime: 7.0.1
- iOS Runtime: 7.2.0
- Plugin(s): 6.1.3
Describe the bug
The GitHub Dependabot reports that the "underscore" depenency of "nativescript-dev-appium" has a vulnerability:
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
More info at:
GHSA-cf4h-3jhx-xvhq
To Reproduce
Add nativescript-dev-appium to a NativeScript project.
Look in package-lock to see dependency chain:
"nativescript-dev-appium" version 6.1.3 uses
"frame-comparer": "^2.0.1" which uses
"blink-diff": "^1.0.13" which uses
"pngjs-image": "~0.11.5" which uses
"underscore": "1.7.0"
Expected behavior
Dependency chain using "underscore" version 1.12.1 or newer (as per the github advisory link above).
Sample project
Additional context