Dependency loadsh.trimend is out of date and the dependency has known public CVEs - CVE-2020-28500
#4797
Assignees
Comments
|
It looks like there was a previous issue where this was potentially fixed but it was not. #4579 Additionally here is a closed issue from lodash lodash/lodash#5643 |
|
@ceciliaavila Any update on this? |
Hi @cbelsole, we started working on this issue today. Version 1.3 of Recognizers-Text has this issue fixed, but we can't upgrade to that without introducing breaking changes. |
|
@ceciliaavila Any update on this? |
Hi @cbelsole, we need to finish testing the fix we did for this. We'll keep you posted. |
|
Hi @ceciliaavila , any update on this? |
Hi @leen1218, an open PR with the fix is under review. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
loadsh.trimend package is transitive dependency of botbuilder and botbuilder-dialogs.
botbuilder-dialogs --> @microsoft/recognizers-text-suite --> @microsoft/recognizers-text-number --> lodash.trimend
But for loadsh.trimend package https://www.npmjs.com/package/lodash.trimend, version 4.5.1 is already the latest version 8 years ago and seems loadsh.trimend is not maintained any more.
The text was updated successfully, but these errors were encountered: