alibaba/Sentinel

lodash:4.17.15组件存在CVE-2020-8203漏洞建议升级

Open

#1762 opened on Sep 25, 2020

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Java (23,109 stars) (8,150 forks)batch import
area/dashboardgood first issue

Description

https://github.com/alibaba/Sentinel/blob/55a8294ab0afb08c6c048e541cf8a99c49069dac/sentinel-dashboard/src/main/webapp/resources/package-lock.json#L2418-L2421

推荐升级版本: 4.17.20

Contributor guide

Tech stack
javascriptnodejs
Domain
securityfrontend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
1
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
None
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
95
Research direction
The issue identifies a specific file `sentinel dashboard/src/main/webapp/resources/package lock.json` where lodash version 4.17.15 is used. The task is to upgrade lodash to version 4.17.20 or later to fix CVE 2020-8203. Run `npm install lodash@4.17.20` in the `sentinel dashboard/src/main/webapp/resources/` directory and update the `package lock.json` accordingly. Ensure no breaking changes occur by testing the dashboard.