Skip to content

fix(deps): update the vulnerable version of underscore#240

Merged
yeshamavani merged 1 commit intomasterfrom
underscore-vul
Mar 5, 2026
Merged

fix(deps): update the vulnerable version of underscore#240
yeshamavani merged 1 commit intomasterfrom
underscore-vul

Conversation

@yeshamavani
Copy link
Contributor

@yeshamavani yeshamavani commented Mar 5, 2026
edited
Loading

rate-limit-mongo depends on vulnerable version of underscrore

GH-00

Description

update the vulnerable version of underscore
rate-limit-mongo depends on vulnerable version of underscrore

underscore <=1.13.7 Severity: high Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack - https://github.com/advisories/GHSA-qpx9-hpmf-5gmw fix available via npm audit fix node_modules/underscore rate-limit-mongo * Depends on vulnerable versions of underscore node_modules/rate-limit-mongo loopback4-ratelimiter >=2.3.0 Depends on vulnerable versions of rate-limit-mongo node_modules/loopback4-ratelimiter

Fixes # (issue)

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Intermediate change (work in progress)

Checklist:

  • Performed a self-review of my own code
  • npm test passes on your machine
  • New tests added or existing tests modified to cover all changes
  • Code conforms with the style guide
  • API Documentation in code was updated
  • Any dependent changes have been merged and published in downstream modules

@yeshamavani
fix(deps): update the vulnerable version of underscore
8aad8eb 
rate-limit-mongo depends on vulnerable version of underscrore

GH-00
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 5, 2026

SonarQube reviewer guide

Summary: Updates package dependencies to latest versions, including major updates to @actions/core (1.x to 3.x), @loopback packages, babel dependencies, and various Node.js ecosystem packages. Also fixes code formatting in the rate-limit metadata provider.

Review Focus: The @actions/core upgrade from v1 to v3 and @semantic-release/npm dependency on @actions/core are the most significant changes to examine for potential breaking changes. Additionally, verify that loopback-datasource-juggler (5.x to 6.x) and loopback-connector (6.x to 7.x) upgrades don't break existing functionality. The undici version bump warrants attention as it's critical for HTTP operations.

Start review at: package-lock.json focusing on the @actions/core, @loopback, and loopback-datasource-juggler version changes. These represent the most substantial dependency upgrades that could impact runtime behavior, particularly the Node.js version requirements (some now require Node 20+) and the core action utilities used by @semantic-release/npm.

💬 Please send your feedback

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@yeshamavani yeshamavani merged commit 7c7100d into master Mar 5, 2026
6 of 8 checks passed
@yeshamavani yeshamavani deleted the underscore-vul branch March 5, 2026 09:30
@yeshamavani
Copy link
Contributor Author

yeshamavani commented Mar 5, 2026

🎉 This PR is included in version 8.1.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yeshamavani