URGENT: Corvid-cli high-risk vulnerability

skmedia · August 8, 2019, 10:22pm

Sometime last month, one of the dependency packages for corvid-cli was found to have a very high-risk prototype pollution vulnerability:
https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/

Since then, the dependency package has received a patch, but does not ship by default with the current version of the corvid-cli package. This is a vital 5 minute fix, so please pass it on ASAP

sheyla · August 8, 2019, 10:35pm

I’ll make sure this gets to the right people

skmedia · August 8, 2019, 10:40pm

Thanks Sheyla!

skmedia · August 10, 2019, 10:11pm

@sheyla

I noticed an update roll out, but it looks like the corvid parent package is still using an outdated version of lodash, the corvid-cli package is now all set. Please refer the team to these screenshots, and thank you for taking this seriously!

sheyla · August 12, 2019, 9:39pm

Hi David! I just wanted to let you know that a fix will be pushed tomorrow morning. Thank you so much for spotting this and sending it our way.

skmedia · August 12, 2019, 11:15pm

Thank you!

Topic		Replies	Views
Code Review Friday: Let's Improve your code, ask Corvid master Ask the community code , wix-members-area , question	3	169	May 2, 2020
NPM request tracker seems to be broken Ask the community code	1	90	May 6, 2020
Code Review Friday: (Let's Improve your code, ask Corvid Master) Ask the community code , question	25	223	April 25, 2020
Corvid Examples page feedback Ask the community code , question	4	454	November 17, 2019
NPM, node.js, and other helpful Community stuff Ask the community code , wix-stores , wix-forum , wix-blog , question	3	439	January 2, 2021

URGENT: Corvid-cli high-risk vulnerability

Related topics