High security vulnerability with dependent library - underscore < 1.12.1

[madhurinamagiri]

Hi Team,

An older version of the dependent library is being used. Which has the "Arbitrary Code Execution" vulnerability.

upgrading the library will do the fix. Here is the report of the npm audit.

High Arbitrary Code Execution

Package underscore

Patched in >=1.12.1

Dependency of react-bootstrap-table-next

Path react-bootstrap-table-next > underscore

As we are using this library for production purposes, due to security issues we are blocked. A quick path will do the needful.

Thanks!!

[opera-robertz]

PR #1612 by dependabot is doing just that, but project is very large and maintainer is probably very busy and I cannot fault him.

Also if you want to read more #1605

[bmmpt]

Seems like the maintainer needs to give a couple developers with vested interest in this library the permission to merge pull requests.

[madhurinamagiri]

Pull requests from 2019 are still not merged. Can not expect it to be merged anytime now. Simply moving out of this library.

[Avasam]

Pull requests from 2019 are still not merged. Can not expect it to be merged anytime now. Simply moving out of this library.

This library works so well and flexible for my needs. I'd hate to have to recode everything. For now I'm using patch-package for the small updates I'd need (performance-wise). But security issue like this is starting to be an issue.

Well, react-scripts has like 30+ atm anyway, I guess it's not as much of a priority for me until these also get fixed.

[jeancochrane]

According to https://www.npmjs.com/advisories/1674 it sounds like the arbitrary code execution vulnerability is restricted to the underscore.template function., which wasn't doing input sanitization properly before 1.12.1. As far as I can tell, src/utils.js is the only module in this library that uses underscore and it doesn't use the template function.

I would also prefer if this library were updated to use a version of underscore that doesn't have this vulnerability, but in the meantime am I wrong in my assessment that I don't need to immediately strip out this library for fear of arbitrary code execution?

[Avasam]

@jeancochrane I'm no security expert, but after looking into it myself, my conclusion is the same.
It does expose the entirety of the underscore library, but as long as you don't use it yourself I believe it should be fine.