-
-
Notifications
You must be signed in to change notification settings - Fork 27
Description
Environment
Provide version numbers for the following components (information can be retrieved by running tns info
in your project folder or by inspecting the package.json
of the project:
- CLI: 7.2.0
- Cross-platform modules: 7.3.0
- Android Runtime: 7.0.1
- iOS Runtime: 7.2.0
- Plugin(s): 6.1.3
Describe the bug
The GitHub Dependabot reports that the "underscore" depenency of "nativescript-dev-appium" has a vulnerability:
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
More info at:
GHSA-cf4h-3jhx-xvhq
To Reproduce
Add nativescript-dev-appium to a NativeScript project.
Look in package-lock to see dependency chain:
"nativescript-dev-appium" version 6.1.3 uses
"frame-comparer": "^2.0.1" which uses
"blink-diff": "^1.0.13" which uses
"pngjs-image": "~0.11.5" which uses
"underscore": "1.7.0"
Expected behavior
Dependency chain using "underscore" version 1.12.1 or newer (as per the github advisory link above).
Sample project
Additional context