Critical security vulnerability #60

skhilliard · 2021-10-08T12:33:28Z

gulp-run has a dependency on gulp-util which references a version of lodash.template that has a critical vulnerability. Would it be possible to update gulp-run to eliminate this? Unfortunately, I see that the gulp-util project has been deprecated.

gulp-run > gulp-util > lodash.template
GHSA-jf85-cpcp-j695

`-- [email protected]
  +-- [email protected]
  | `-- [email protected]
  `-- [email protected]

The text was updated successfully, but these errors were encountered:

cbarrick · 2021-10-11T01:23:10Z

It is difficult to fix a security issue from a transitive dependency.

The best solution may be to submit a patch to gulp-util and convince them to do a release. Even though it's deprecated, the maintainer may be willing to publish a security patch.

Also, no one is really doing active development of this library AFAIK. If you think the issue can be fixed here, you can submit a patch, and I can help review.

demurgos · 2021-10-11T14:11:49Z

gulp-util has been deprecated for years and shouldn't even be a dependency.
gulp-util will not be updated, use the migration instructions from the README to move to a supported dependency.

demurgos mentioned this issue Oct 11, 2021

Security vulnerability gulpjs/gulp-util#168

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Critical security vulnerability #60

Critical security vulnerability #60

skhilliard commented Oct 8, 2021 •

edited by cbarrick

Loading

cbarrick commented Oct 11, 2021

demurgos commented Oct 11, 2021 •

edited

Loading

Critical security vulnerability #60

Critical security vulnerability #60

Comments

skhilliard commented Oct 8, 2021 • edited by cbarrick Loading

cbarrick commented Oct 11, 2021

demurgos commented Oct 11, 2021 • edited Loading

skhilliard commented Oct 8, 2021 •

edited by cbarrick

Loading

demurgos commented Oct 11, 2021 •

edited

Loading