Lodash dependency vulnerability in enigma-js npm package

crypto_mentions · July 21, 2019, 5:35pm

Hi,

I’m working with a public repo I created for the enigma-discovery CLI getting started guide.

Github warned me that there’s a security vulnerability in lodash, which is coming from the jayson@2.1.2 dependency used by enigma-js@0.0.5 . Just wanted to give a heads up in case it’s possible for Enigma to update their version of jayson to solve the issue. I’m not sure if it’s possible for end users depending on enigma-js to override the lodash dependency version themselves.

➜  enigma-discovery git:(master) npm ls lodash
myproject@1.0.0 /Users/dwarrier/WebstormProjects/enigma-discovery
└─┬ enigma-js@0.0.5
  └─┬ jayson@2.1.2
    └── lodash@4.17.11

victor · August 5, 2019, 11:31am

Thanks @crypto_mentions, we’re well aware of it, and it’s being addressed in https://github.com/enigmampc/enigma-contract/pull/123 which will be merged today into develop. lodash is a dependency of a few other packages, so other items needed to be reviewed as well. We’re also pushing a merge from develop to master this week.

victor · August 11, 2019, 2:03pm

This has been addressed as of the new release announced here:

crypto_mentions · August 11, 2019, 7:28pm

Thank you for the link and the update here, Victor!

Topic		Replies	Views
New Release of the Enigma Protocol Developer Help	1	728	August 11, 2019
Error when Installing Developer Help	14	1521	December 14, 2019
App.js and Syntax Error Secret Contracts and Secret Apps	14	894	October 3, 2019
Possible issue with discovery init , node version (resolved) Developer Help	1	458	August 1, 2019
Help with init (moved) Developer Help	19	760	August 11, 2019

Lodash dependency vulnerability in enigma-js npm package

Related Topics