Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Underscore version #1605

Open
nvasilev98 opened this issue Apr 16, 2021 · 21 comments
Open

Underscore version #1605

nvasilev98 opened this issue Apr 16, 2021 · 21 comments
Assignees
@AllenFang

Comments

@nvasilev98
Copy link

Hello,

We are facing vulnerabilities with underscore library version, our security scan says that its version is outdated and suggests us to update it. Since we are not using underscore directly and it comes as a dependency from react-bootstrap-table-next we can't change it. We have been wondering if you still maintain react-bootstrap-table-next, because the last release is from almost a year ago and if you do will you bump underscore version in incoming releases?

Best Regards,
Nikolay
@pieceofsoft
Copy link

pieceofsoft commented Apr 19, 2021
edited
Loading

I face the same problem. I saw that the underscore dependency is explicitly set to version 1.9.1 so it is not possible to use a newer version (even if I install it as dependency of my package).
Underscore has a newer version (1.12.1) which does not have the vulnerability. Do you plan to update it?
By the way, I'm using react-bootstrap-table-next's version 3, I'd be very happy if you can bump underscore version in both v4 and v3. But if it's only in v4 then that's good too, at least I'll have a way to solve my problem.

@bmmpt
Copy link

bmmpt commented May 5, 2021

I'm using Parcel 2 to build my React app and the current underscore 1.9.1 is breaking at runtime, because of Parcel's scope hoisting feature. I've checked that underscore 1.13.1 works fine with Parcel's scope hoisting functionality, so I'm really interested in this change.

@sricks
Copy link

sricks commented May 6, 2021

There was an arbitrary code execution notice posted for this Underscore version today: https://www.npmjs.com/advisories/1674

Any chance of updates?

@bmmpt
Copy link

bmmpt commented May 6, 2021

@AllenFang I'm trying to create a PR for this, but getting:
image

@pieceofsoft
Copy link

Noticed that dependabot created a PR (#1612), bumped the version from 1.9.1 to 1.12.1

@ahmetemrebasakcioglu
Copy link

Same problem here, when will it be fixed? thanx

@KirillRas
Copy link

Same problem here.

@bigfuture-test
Copy link

@AllenFang please merge the dependabot alert. Is this project on active development?

@ahmetemrebasakcioglu
Copy link

@AllenFang please merge the dependabot alert. Is this project on active development?

@AllenFang any luck? Still Waiting 4 this merge

@bmmpt
Copy link

bmmpt commented May 10, 2021
edited
Loading

This is a great project and is on active development, but it is super slow moving at times...

@bmmpt
Copy link

bmmpt commented May 12, 2021

@chunming-c, do you have permission to merge this? Looks nothing has been merged in since Aug 2020 :(

@ahmetemrebasakcioglu
Copy link

i think we must give up using this package 👎

@opera-robertz opera-robertz mentioned this issue Jun 3, 2021
Open
@navot-eloomina
Copy link

anything new?

@Akshaypal8
Copy link

Hello,

We are facing vulnerabilities with underscore library version, our security scan says that its version is outdated and suggests us to update it. Since we are not using underscore directly and it comes as a dependency from react-bootstrap-table-next we can't change it. We have been wondering if you still maintain react-bootstrap-table-next, because the last release is from almost a year ago and if you do will you bump underscore version in incoming releases?

Best Regards, Nikolay

I am also facing the same issue, is any update regarding the same?

@subhodeepg
Copy link

Any updates on this merge ?

@shailesh-patole
Copy link

Hi, any update on the merge?

@v-ashrirao
Copy link

Hi Team, do we have update for this issue?

@maurojeandet
Copy link

maurojeandet commented Jul 22, 2022
edited
Loading

Hi Team, do we have any updates for this issue? Still getting the vulnerability issue

@ethanbonin
Copy link

ethanbonin commented Aug 15, 2022
edited
Loading

For those using yarn & dealing with this vulnerability, you can use resolutions in your package.json.

You are relying on an unmaintained but working package and one of its dependencies got upgraded. You know the upgrade would not break things and you also don’t want to fork the package you are relying on, just to update a minor dependency.

"resolutions": {
   "react-bootstrap-table-next/underscore": "1.13.0-2"
},

then run yarn install to fix the dependencies.

@lukekoch
Copy link

lukekoch commented Feb 1, 2023

Since this repository seems to be no longer maintained, a version fix is unlikely. There have been efforts to fork the repository and maintain the fork (or at least bump the versions of dependencies as needed). The most active one I have found yet is: https://github.com/BonnierNews/react-bootstrap-table2

The maintainer provides a short summary on how to replace the dependency for react-bootstrap-table-next in your package.json making this viable for use with npm as well.

@mageshn18
Copy link

mageshn18 commented Aug 7, 2024
edited
Loading

You can use overrides in package.json to use the underscore package with safe version.

GHSA-cf4h-3jhx-xvhq

"overrides": {
"underscore": "1.12.1"
},

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AllenFang AllenFang

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests