Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency loadsh.trimend is out of date and the dependency has known public CVEs - CVE-2020-28500 #4797

Open
leen1218 opened this issue Nov 20, 2024 · 3 comments
Open

Dependency loadsh.trimend is out of date and the dependency has known public CVEs - CVE-2020-28500 #4797

leen1218 opened this issue Nov 20, 2024 · 3 comments
Assignees
@ceciliaavila

Comments

@leen1218
Copy link

loadsh.trimend package is transitive dependency of botbuilder and botbuilder-dialogs.

botbuilder-dialogs --> @microsoft/recognizers-text-suite --> @microsoft/recognizers-text-number --> lodash.trimend

But for loadsh.trimend package https://www.npmjs.com/package/lodash.trimend, version 4.5.1 is already the latest version 8 years ago and seems loadsh.trimend is not maintained any more.
@cbelsole
Copy link

It looks like there was a previous issue where this was potentially fixed but it was not. #4579 Additionally here is a closed issue from lodash lodash/lodash#5643

@cbelsole
Copy link

@ceciliaavila Any update on this?

@ceciliaavila
Copy link
Collaborator

@ceciliaavila Any update on this?

Hi @cbelsole, we started working on this issue today. Version 1.3 of Recognizers-Text has this issue fixed, but we can't upgrade to that without introducing breaking changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ceciliaavila ceciliaavila

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cbelsole @leen1218 @ceciliaavila