Security vulnerability in old version of lodash · Redocly/redoc#2528

(3 comments) (0 reactions) (0 assignees)TypeScript (21,877 stars) (2,272 forks)batch import

Type: Bughelp wantedp3

説明

Describe the bug The redoc/benchmark/index.html file references an obsolete version of lodash (4.17.4) with a known vulnerability that was fixed in later versions. The latest version is 4.17.21, which seems to have fixed the problem. Could the vulnerable version be replaced with the fixed version? Is the benchmark folder necessary to run redoc?

Expected behavior I expected redoc to pass muster with the security team at my company, but it was rejected because of the known vulnerability. See attached file. Redoc ML-vulnerability-report.xlsx

Minimal reproducible OpenAPI snippet(if possible)

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

コントリビューターガイド

技術スタック: javascripttypescripthtml
領域: securityfrontend
Issue 種別: security
難度: 2
推定時間: under 1 hour
活動状況: fresh
明確さ: clear
前提条件: familiarity with npm or yarnbasic knowledge of dependency management
初心者向け度: 90
調査方針: Update lodash version in 'redoc/benchmark/index.html' from 4.17.4 to 4.17.21. Verify that no breaking changes affect the benchmark functionality. Optionally, discuss whether the benchmark folder is necessary for the main application. Check the current package.json or lockfile to ensure consistency.