Bump lodash from 4.17.2 to 4.17.21 in /dev-playground #2

dependabot · 2023-01-09T17:50:55Z

Bumps lodash from 4.17.2 to 4.17.21.

Commits

f299b52 Bump to v4.17.21
c4847eb Improve performance of toNumber, trim and trimEnd on large input strings
3469357 Prevent command injection through _.template's variable option
ded9bc6 Bump to v4.17.20.
63150ef Documentation fixes.
00f0f62 test.js: Remove trailing comma.
846e434 Temporarily use a custom fork of lodash-cli.
5d046f3 Re-enable Travis tests on 4.17 branch.
aa816b3 Remove /npm-package.
d7fbc52 Bump to v4.17.19
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by bnjmnt4n, a new releaser for lodash since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

ImagineBuildBot · 2023-01-09T23:02:56Z

Scan submitted to Checkmarx

ImagineBuildBot · 2023-01-09T23:10:09Z

Checkmarx SAST - Scan Summary & Details

Cx-SAST Summary

Total of 1 vulnerabilities
0 High
1 Medium
0 Low
0 Info

Violation Summary

1 MEDIUM

View more details on Checkmarx UI

Cx-SAST Details

Click to see details

Lines	Severity	Category	File	Link
51	MEDIUM	Missing_HSTS_Header	dev-playground/server.js	Checkmarx

ghost · 2025-11-06T17:18:59Z

@dependabot recreate

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.2 to 4.17.21. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.2...4.17.21) --- updated-dependencies: - dependency-name: lodash dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

thomas-hayden · 2025-11-06T17:45:46Z

Checkmarx One – Scan Summary & Details – 7c816cb7-9e14-4d42-8d10-4e78da2d08a7

New Issues (139)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2017-16042	Npm-growl-1.9.2	details Recommended version: 1.10.0 Description: Growl adds growl notification support to nodejs. Growl versions prior to 1.10.0 does not properly sanitize input before passing it to exec, allowin... Attack Vector: NETWORK Attack Complexity: LOW `ID: 7prAkD32RJUdUBPC5mpmNe9pFy4gsc%2FhrXm1Rsqh4Fg%3D` Vulnerable Package
CVE-2017-16226	Npm-static-eval-0.2.4	details Recommended version: 2.0.0 Description: The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions prior to 2.0.0, untrusted user input is able... Attack Vector: NETWORK Attack Complexity: LOW `ID: HQ7vD0z%2BW%2FpWK%2BdO6aT%2F9%2Bpr7%2BtSNCyYxIVH3KjipL4%3D` Vulnerable Package
CVE-2018-16492	Npm-extend-3.0.0	details Recommended version: 3.0.2 Description: A Prototype Pollution vulnerability was found in module extend that allows an attacker to inject arbitrary properties onto "Object.Prototype". This... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2FSlLR1r%2F8bKXXnxI0NJpKsnBGyzC9ffynWAXmBYHE98%3D` Vulnerable Package
CVE-2018-3745	Npm-atob-1.1.3	details Recommended version: 2.1.0 Description: The package atob through 2.0.3 allocates uninitialized buffers when a number is passed in input on Node.js 4.x and below. Attack Vector: NETWORK Attack Complexity: LOW `ID: qSEcTQLCmWMbPLjpCCGA9CJTb8oIzpXyc5ktMUKcVcs%3D` Vulnerable Package
CVE-2018-3750	Npm-deep-extend-0.4.1	details Recommended version: 0.5.1 Description: The `utilities` function of the deep-extend node module can be tricked into modifying the Prototype of Object when the attacker can control part of... Attack Vector: NETWORK Attack Complexity: LOW `ID: c0DbWcL6YgXx4Sl3ZRvA45vg%2FO2ZcbCOgkJpOkIfUmc%3D` Vulnerable Package
CVE-2019-10744	Npm-lodash-1.0.2	details Recommended version: 4.17.21 Description: A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior ... Attack Vector: NETWORK Attack Complexity: LOW `ID: Im40yGaLtp4vRaqGh2YmKoy7TVGTRR1i7X%2FDOY90I8o%3D` Vulnerable Package
CVE-2019-10744	Npm-lodash-3.7.0	details Recommended version: 4.17.21 Description: A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior ... Attack Vector: NETWORK Attack Complexity: LOW `ID: msl4TwL6OmavJDCrpXuPeRSbExd6z1ikjpOjbJKx%2FQs%3D` Vulnerable Package
CVE-2019-10744	Npm-lodash-4.17.4	details Recommended version: 4.17.21 Description: A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior ... Attack Vector: NETWORK Attack Complexity: LOW `ID: NkgaK3XWAgcjXVxisrtlTpkpGNf5Rr5EL%2B0WOXYzGbw%3D` Vulnerable Package
CVE-2020-7774	Npm-y18n-3.2.1	details Recommended version: 3.2.2 Description: This affects the package y18n versions prior to 3.2.2, 4.x prior to 4.0.1, 5.0.x prior to 5.0.5 and 6.0.0-alpha.0, are vulnerable to Prototype Poll... Attack Vector: NETWORK Attack Complexity: LOW `ID: IX8zCQxUj%2BhhW96JQLvxBsGlu9cUvDG588VQ3TeirZU%3D` Vulnerable Package
CVE-2020-7788	Npm-ini-1.3.4	details Recommended version: 1.3.6 Description: The package ini versions prior to 1.3.6 have a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application tha... Attack Vector: NETWORK Attack Complexity: LOW `ID: ZJes6ujZxjYEGxS%2BdDEI%2BGVtzKVRkx2lUlA1d6wtpiA%3D` Vulnerable Package
CVE-2021-23807	Npm-jsonpointer-4.0.0	details Recommended version: 5.0.0 Description: A Type Confusion vulnerability in jsonpointer can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays. Th... Attack Vector: NETWORK Attack Complexity: LOW `ID: sZnmzADsBZv7snTtaAsjk3aQSxdNtqfNytSIsAINC0Y%3D` Vulnerable Package
CVE-2021-3918	Npm-json-schema-0.2.3	details Recommended version: 0.4.0 Description: The package json-schema versions prior to 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Poll... Attack Vector: NETWORK Attack Complexity: LOW `ID: N0%2B1QmbMXT3zXTIKgSYnwVSAbBLJ58Fp4%2FFez4kdhhQ%3D` Vulnerable Package
CVE-2021-44906	Npm-minimist-0.0.8	details Recommended version: 0.2.4 Description: Minimist is vulnerable to Prototype Pollution via file "index.js", function "setKey()" (lines 69-95). This issue affects minimist versions prior t... Attack Vector: NETWORK Attack Complexity: LOW `ID: m4Z5F6B2vwxzyBHgTeUBF7P01t6lTSh%2B2sYs8E3w%2FdI%3D` Vulnerable Package
CVE-2021-44906	Npm-minimist-1.2.0	details Recommended version: 1.2.6 Description: Minimist is vulnerable to Prototype Pollution via file "index.js", function "setKey()" (lines 69-95). This issue affects minimist versions prior t... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2Bw70kzXxJauIQhlga74qTw61M0YgamMG00ASPEqb3RE%3D` Vulnerable Package
CVE-2022-37601	Npm-loader-utils-0.2.16	details Recommended version: 1.4.2 Description: Prototype Pollution Vulnerability present in the loader-utils package in the function 'parseQuery()' of 'parseQuery.js' file via the 'name' variabl... Attack Vector: NETWORK Attack Complexity: LOW `ID: FA4GYMBJPfpuLO%2FhaXh9PLjYBxta7lo9LVtYdkxjuO8%3D` Vulnerable Package
CVE-2022-37601	Npm-loader-utils-1.0.2	details Recommended version: 1.4.2 Description: Prototype Pollution Vulnerability present in the loader-utils package in the function 'parseQuery()' of 'parseQuery.js' file via the 'name' variabl... Attack Vector: NETWORK Attack Complexity: LOW `ID: q%2BKlWs%2Fz%2FoT8Gb2jx7wUDNKuYQUVSFqy3LzpKAO8NhA%3D` Vulnerable Package
CVE-2023-26136	Npm-tough-cookie-2.3.2	details Recommended version: 4.1.3 Description: The package tough-cookie in versions prior to 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 0UDTiH68WO3nrdGwuCLtTz12HGOgI6aGgyVUItIJ4po%3D` Vulnerable Package
CVE-2023-45311	Npm-fsevents-1.0.15	details Recommended version: 1.2.11 Description: The package fsevents in versions 1.0.0 through 1.2.10 depends on the "https://fsevents\-binaries\.s3\-us\-west\-2\.amazonaws\.com" URL, which might allow ... Attack Vector: NETWORK Attack Complexity: LOW `ID: tGkDPXX3nK1VmVovhx29oWwMDzD%2FzUFQ1%2BX8jp5pQxY%3D` Vulnerable Package
CVE-2024-40643	Npm-htmlparser2-3.8.3	details Recommended version: 5.0.0 Description: Joplin is a free, open-source note-taking and to-do application. Joplin fails to consider that "<" followed by a non-letter character will not be c... Attack Vector: NETWORK Attack Complexity: LOW `ID: 7sdPcr1vXbIkrXTv8uNELOqlIl%2FOukuv9XY0e6qIX2s%3D` Vulnerable Package
CVE-2024-42461	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: In the elliptic package, "ECDSA" signature malleability occurs because "BER-encoded" signatures are allowed which leads to Improper Verification of... Attack Vector: NETWORK Attack Complexity: LOW `ID: pGpAOGiglqifkq6NNm8dewD0dJ7Ur6SCJQ0zc64pAow%3D` Vulnerable Package
CVE-2024-48949	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: The verify function in "lib/elliptic/eddsa/index.js" in the Elliptic versions 4.0.0 through 6.5.5 for Node.js omits "sig.S().gte(sig.eddsa.curve.n)... Attack Vector: NETWORK Attack Complexity: LOW `ID: xlYCsocLO%2BVBp5H7XLQbffGgehcyW65sAy4OXkbiB7A%3D` Vulnerable Package
CVE-2025-6547	Npm-pbkdf2-3.0.9	details Recommended version: 3.1.3 Description: Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This issue affects versions through 3.1.2. Attack Vector: NETWORK Attack Complexity: HIGH `ID: 0OrLrogaoHiT%2BSyA8t9ZVEPIlOm0Iw0RwTce1vjKayc%3D` Vulnerable Package
CVE-2025-7783	Npm-form-data-2.1.2	details Recommended version: 2.5.4 Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with the pro... Attack Vector: NETWORK Attack Complexity: HIGH `ID: 4kcuPmOg19aBACypVnsYk%2BkxyioRAkF4Dl%2F5tzBP9ao%3D` Vulnerable Package
CVE-2025-9287	Npm-cipher-base-1.0.3	details Recommended version: 1.0.5 Description: Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation. This issue affects versions through 1.0.4. Attack Vector: NETWORK Attack Complexity: HIGH `ID: 14r9dt7isrV8HlVD3JK4CLqopJLFT0mJQZnblPDwJzo%3D` Vulnerable Package
CVE-2025-9288	Npm-sha.js-2.4.8	details Recommended version: 2.4.12 Description: Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js through 2.4.11. Attack Vector: NETWORK Attack Complexity: HIGH `ID: eKt%2FC5%2BT5IiHps%2BUzpkvP0fH4pD3LDwOx2zGML%2Fnj%2Bs%3D` Vulnerable Package
CVE-2025-9288	Npm-sha.js-2.2.6	details Recommended version: 2.4.12 Description: Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js through 2.4.11. Attack Vector: NETWORK Attack Complexity: HIGH `ID: I8MQ4oHPbCm9LP71Wmtg3mtilihMJfpHkf%2FpUb74PWA%3D` Vulnerable Package
Cx88b46a98-47a5	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: The elliptic package is a plain JavaScript implementation of elliptic-curve cryptography. Versions of elliptic package prior to 6.6.1 are vulnerabl... Attack Vector: NETWORK Attack Complexity: LOW `ID: qD%2FICPdtGFwHZpINyV0FGOy%2FoCCJ6DShS7sCsk6VUj4%3D` Vulnerable Package
Cxbf5cb5f8-f150	Npm-lodash.merge-4.6.0	details Recommended version: 4.6.2 Description: The package `lodash.merge` versions prior to 4.6.2 are vulnerable to Prototype Pollution. The function `merge` may allow a malicious user to modify... Attack Vector: NETWORK Attack Complexity: LOW `ID: hnehIChkVaZWhPnsZALtTPt89PMAjSCMZAaSrllWCp8%3D` Vulnerable Package
CVE-2016-10540	Npm-minimatch-0.2.14	details Recommended version: 3.0.5 Description: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatc... Attack Vector: NETWORK Attack Complexity: LOW `ID: KENAsiN%2FN0kOB5RZqrvea1pXCx5qhK0VijtkiFwLXuI%3D` Vulnerable Package
CVE-2016-10540	Npm-minimatch-2.0.10	details Recommended version: 3.0.5 Description: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatc... Attack Vector: NETWORK Attack Complexity: LOW `ID: RS7mT2Z0Pb7nIzRLxaDpQpEf5HNvtcbAON%2FQakCP4JU%3D` Vulnerable Package
CVE-2017-1000048	Npm-qs-6.2.0	details Recommended version: 6.2.4 Description: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil r... Attack Vector: NETWORK Attack Complexity: LOW `ID: 4wXp47T9PYtSSsyaqVwXadK0vIyHW92GvXJU4iaBSvs%3D` Vulnerable Package
CVE-2017-1000048	Npm-qs-6.3.0	details Recommended version: 6.3.3 Description: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil r... Attack Vector: NETWORK Attack Complexity: LOW `ID: AkA7HxBRTrbATacsbioVQbu4fdtY6xdM1Sss6KwP0Z0%3D` Vulnerable Package
CVE-2017-15010	Npm-tough-cookie-2.3.2	details Recommended version: 4.1.3 Description: A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make... Attack Vector: NETWORK Attack Complexity: LOW `ID: S8jv6M1OoLtxyXQ1BT5T9rnDnMaiLZmXevt6j7MYCN0%3D` Vulnerable Package
CVE-2017-16032	Npm-brace-expansion-1.1.6	details Recommended version: 1.1.12 Description: Brace-expansion is vulnerable to a Regular Expression Denial of Service (ReDoS) condition in versions prior to 1.1.7. Attack Vector: NETWORK Attack Complexity: LOW `ID: SC3K%2BuI8V3cx2h7zlCHXs%2F1DgV1NmMsc%2FwAe%2B8yorj0%3D` Vulnerable Package
CVE-2017-16118	Npm-forwarded-0.1.0	details Recommended version: 0.1.2 Description: The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of s... Attack Vector: NETWORK Attack Complexity: LOW `ID: o5levn7yYion%2BNeGgKFU5NzvgOUjy0ONnsHv2tgH9tw%3D` Vulnerable Package
CVE-2017-16119	Npm-fresh-0.3.0	details Recommended version: 0.5.2 Description: Fresh is a module used by the Express.js framework for HTTP response freshness testing. Prior to v0.5.2 it is vulnerable to a regular expression de... Attack Vector: NETWORK Attack Complexity: LOW `ID: YbbbksFUduQrnNF2fSBYb2lebXMg5xiZ8wtBtpNhIkc%3D` Vulnerable Package
CVE-2017-16138	Npm-mime-1.3.4	details Recommended version: 1.4.1 Description: The mime module < 1.4.1 and 2.0.0 through 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted ... Attack Vector: NETWORK Attack Complexity: LOW `ID: OAcMd8CTm8fzEWamJM%2Bz%2B90s4kSVMW0JK%2BTiHSxytPM%3D` Vulnerable Package
CVE-2017-18077	Npm-brace-expansion-1.1.6	details Recommended version: 1.1.12 Description: index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argume... Attack Vector: NETWORK Attack Complexity: LOW `ID: Yogu66koNQz3Xf6JZ3sKCODtq%2BpMEjouG39Tz6vP2XA%3D` Vulnerable Package
CVE-2018-20834	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a ta... Attack Vector: NETWORK Attack Complexity: LOW `ID: 35nLkgJeBi7uxul2J6iE7X0h0g81RCPz857%2BKWMJi%2FM%3D` Vulnerable Package
CVE-2018-3728	Npm-hoek-2.16.3	details Recommended version: 4.2.1 Description: hoek node module before 4.2.1 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'ap... Attack Vector: NETWORK Attack Complexity: LOW `ID: Yyec2ozK5hK4R4RmQ4mKmOPxhQlwZ4MpZBPt%2BnJnU7o%3D` Vulnerable Package
CVE-2018-3737	Npm-sshpk-1.10.1	details Recommended version: 1.13.2 Description: sshpk is vulnerable to ReDoS when parsing crafted invalid public keys. Attack Vector: NETWORK Attack Complexity: LOW `ID: a5FSyMlKp7kOEsPswNLoAI5kNHwpRUBWvuwj3jx8R9E%3D` Vulnerable Package
CVE-2019-13173	Npm-fstream-1.0.10	details Recommended version: 1.0.12 Description: fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the sys... Attack Vector: NETWORK Attack Complexity: LOW `ID: FnY%2BU%2BVRjIWlILgoXIRozEQ7MCP4ZlFoYo8DElYwbkE%3D` Vulnerable Package
CVE-2020-13822	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: The Elliptic package up to 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflo... Attack Vector: NETWORK Attack Complexity: HIGH `ID: aBVY5%2BARktsQEztqQ4u1GQ93DiD%2Be1IBdY6SOKcJWG0%3D` Vulnerable Package
CVE-2020-28469	Npm-glob-parent-2.0.0	details Recommended version: 5.1.2 Description: In glob-parent prior to 5.1.2 the way that the `enclosure` regex in `index.js` is defined could allow an attacker to exploit it, and cause a Denial... Attack Vector: NETWORK Attack Complexity: LOW `ID: 9xeyv326t7XIz0RdriFrvfkYEMaWYjIIfD84UvBR9Y4%3D` Vulnerable Package
CVE-2020-8203	Npm-lodash-4.17.4	details Recommended version: 4.17.21 Description: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Attack Vector: NETWORK Attack Complexity: HIGH `ID: BPc%2B03mYcU5zl1yxp6Bg22HAA7d9vpf9gYZc03Vx2d8%3D` Vulnerable Package
CVE-2020-8203	Npm-lodash-3.7.0	details Recommended version: 4.17.21 Description: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Attack Vector: NETWORK Attack Complexity: HIGH `ID: UlyBo%2F8rrQfRpekZaCCCqXC0dCX%2FE9JCOaDsi5Dw3cg%3D` Vulnerable Package
CVE-2020-8203	Npm-lodash-1.0.2	details Recommended version: 4.17.21 Description: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Attack Vector: NETWORK Attack Complexity: HIGH `ID: zP1yyFgeQxINM3sZGi%2ByDoKQoI88cpEWBG5H%2BuMwmSk%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash.template-3.6.2	details Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: br18a%2FUyCw1dJ3OlZ6xuIFtFz1ZaHlEfljyFNfbh48Y%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash-1.0.2	details Recommended version: 4.17.21 Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: iasQ9csxQOqdOqEJFyPLB3QxN12nfTp0sa6l%2BCtQDmo%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash-4.17.4	details Recommended version: 4.17.21 Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: IpwcUyuS2FSBZBvXuOGZHJAH4iJ9H6lKeJ%2BeIONCyW0%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash-3.7.0	details Recommended version: 4.17.21 Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: ivYAih8FNyNynVqy9DpThnZI9Uie%2BboVTg8Y4bzmws0%3D` Vulnerable Package
CVE-2021-32803	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via ins... Attack Vector: NETWORK Attack Complexity: LOW `ID: sa5EmvxRm2Gi%2FfMsgJIXZG5wJnC6kMSVYF0FlG3R43o%3D` Vulnerable Package
CVE-2021-32804	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) versions prior to 3.2.2 and 4.x prior to 4.4.14, 5.x prior to 5.0.6 and 6.x prior to 6.1.1 has a arbitrary Fil... Attack Vector: NETWORK Attack Complexity: LOW `ID: AjPn5LrObq%2BgSVTuY0WjEldQqCcLuP5vyLxCyZEfTN4%3D` Vulnerable Package
CVE-2021-37701	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution... Attack Vector: LOCAL Attack Complexity: LOW `ID: HUjQQkpHilsLw7S9Ct1a%2B2Qeu871XA%2BzD7%2BjZ%2FA0W6U%3D` Vulnerable Package
CVE-2021-37712	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code executio... Attack Vector: LOCAL Attack Complexity: LOW `ID: RfhWnfTpJXetQ%2F5LBxlhEy2QlwLmgx0nOjTRW5UaBVg%3D` Vulnerable Package
CVE-2021-37713	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code executio... Attack Vector: LOCAL Attack Complexity: LOW `ID: xQSfER2CMFVpbuehHIj7h1Sc3cm1W7GWzFgC9gy78bs%3D` Vulnerable Package
CVE-2021-3807	Npm-ansi-regex-2.0.0	details Recommended version: 3.0.1 Description: The package ansi-regex versions 3.x prior to 3.0.1, 4.x prior to 4.1.1, 5.x prior to 5.0.1 and 6.0.x prior to 6.0.1 is vulnerable to Inefficient Re... Attack Vector: NETWORK Attack Complexity: LOW `ID: 4ZoWN7dS2Vk8lXEG04LcrWkNDlREbvAp0GW6ThBmlC4%3D` Vulnerable Package
CVE-2021-43138	Npm-async-2.1.5	details Recommended version: 2.6.4 Description: In Async versions 2.0.0-rc.6 prior to 2.6.4, and 3.x prior to 3.2.2, a malicious user can obtain privileges via the "mapValues()" method, aka "lib/... Attack Vector: LOCAL Attack Complexity: LOW `ID: HOSHN38xv2p9M7ECxge%2FO6GeTr7zPins0f7UH%2FxyaHE%3D` Vulnerable Package
CVE-2022-0144	Npm-shelljs-0.3.0	details Recommended version: 0.8.5 Description: shelljs prior to 0.8.5 is vulnerable to Improper Privilege Management. Attack Vector: LOCAL Attack Complexity: LOW `ID: NRTk2XAUMBtkYDQoI0ZntL7KUrg%2BxDdOK2bNkjWIzuA%3D` Vulnerable Package
CVE-2022-21803	Npm-nconf-0.6.9	details Recommended version: 0.11.4 Description: This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configurati... Attack Vector: NETWORK Attack Complexity: LOW `ID: 1NxDp6vB6U9YsfLez%2FQngOrbNHeVrcek6iCnJQiRCXo%3D` Vulnerable Package
CVE-2022-24999	Npm-qs-6.2.0	details Recommended version: 6.2.4 Description: The qs package as used in Express through 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application becau... Attack Vector: NETWORK Attack Complexity: LOW `ID: rb11zJgDWWGEhbEJHCi22NQwM3qqI4WqVgKuJ3pdVVQ%3D` Vulnerable Package
CVE-2022-24999	Npm-qs-6.3.0	details Recommended version: 6.3.3 Description: The qs package as used in Express through 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application becau... Attack Vector: NETWORK Attack Complexity: LOW `ID: w2Alg13K%2Fc4XqQEvg6r%2Fz%2BHVblXbfBPSHBZ5ct38jfA%3D` Vulnerable Package
CVE-2022-25883	Npm-semver-5.3.0	details Recommended version: 5.7.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 2JSlKsi7FBgCVVKP0aJu856Z8tpArAYrRk9H81Lywj4%3D` Vulnerable Package
CVE-2022-25883	Npm-semver-4.3.6	details Recommended version: 5.7.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW `ID: UQR%2BdlM8t3HCfwenn5JTbnq5OfepZGuKm1OCgwq0B3M%3D` Vulnerable Package
CVE-2022-29167	Npm-hawk-3.1.3	details Recommended version: 9.0.1 Description: Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the re... Attack Vector: NETWORK Attack Complexity: LOW `ID: 83EB97B9DhnVnxNW1%2BHvroJEc6XqucaAmryWZQCmoUw%3D` Vulnerable Package
CVE-2022-3517	Npm-minimatch-3.0.3	details Recommended version: 3.0.5 Description: A vulnerability was found in the minimatch package versions prior to 3.0.5. This flaw allows a Regular Expression Denial of Service (ReDoS) when ca... Attack Vector: NETWORK Attack Complexity: LOW `ID: 23Pxl%2F%2FjA%2BcmSFydFw7uAXAlkFdqCuXAATkO8uWftCs%3D` Vulnerable Package
CVE-2022-3517	Npm-minimatch-2.0.10	details Recommended version: 3.0.5 Description: A vulnerability was found in the minimatch package versions prior to 3.0.5. This flaw allows a Regular Expression Denial of Service (ReDoS) when ca... Attack Vector: NETWORK Attack Complexity: LOW `ID: 6C9VYZe%2F3cnnvuKpsyzUNcfBPgfbjsin3YYPfFHztO8%3D` Vulnerable Package
CVE-2022-3517	Npm-minimatch-0.2.14	details Recommended version: 3.0.5 Description: A vulnerability was found in the minimatch package versions prior to 3.0.5. This flaw allows a Regular Expression Denial of Service (ReDoS) when ca... Attack Vector: NETWORK Attack Complexity: LOW `ID: oEmsp0Yw%2FQwAMwMeKCWfuAEZYoTbSV9jsk9xogBoMAU%3D` Vulnerable Package
CVE-2022-37599	Npm-loader-utils-1.0.2	details Recommended version: 1.4.2 Description: A Regular expression Denial of Service (ReDoS) flaw was found in loader-utils versions 1.0.0 through 1.4.1, 2.0.0 through 2.0.3, and 3.0.0 through ... Attack Vector: NETWORK Attack Complexity: LOW `ID: Y7OGZMH0%2BvqmXkR2A2fco%2FrGFdcwlbheZ8dNH1BvXp8%3D` Vulnerable Package
CVE-2022-37603	Npm-loader-utils-1.0.2	details Recommended version: 1.4.2 Description: A Regular expression Denial of Service (ReDoS) flaw was found in loader-utils versions 1.0.0 through 1.4.1, 2.0.0 through 2.0.3, and 3.0.0 through ... Attack Vector: NETWORK Attack Complexity: LOW `ID: CEFFQykkIS7%2Fah5juPtNkzN98QA4bT6HNOWa8HTWuRc%3D` Vulnerable Package
CVE-2022-46175	Npm-json5-0.5.1	details Recommended version: 1.0.2 Description: JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` met... Attack Vector: NETWORK Attack Complexity: LOW `ID: EFB5QmQRgYuFvSrEa4m6XVliu7ePdDQkyvo0t%2FO5caE%3D` Vulnerable Package
CVE-2023-46234	Npm-browserify-sign-4.0.0	details Recommended version: 4.2.2 Description: The browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's wor... Attack Vector: NETWORK Attack Complexity: LOW `ID: iQBXtAlhOFxAGr5cGFQEzUjIW4EF3%2BA%2BFzz%2BibSxCQI%3D` Vulnerable Package
CVE-2024-4068	Npm-braces-1.8.5	details Recommended version: 3.0.3 Description: The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In... Attack Vector: NETWORK Attack Complexity: LOW `ID: N25R%2BN8RoNFokyMjcnOuWyr%2FoYZ4vd1ya0tp9FeINII%3D` Vulnerable Package
CVE-2024-45296	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: The path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be explo... Attack Vector: NETWORK Attack Complexity: LOW `ID: 21xlhYG2262R1RQzNkTq9%2BfyMU8YaJp%2FpcMf%2BAQAfOE%3D` Vulnerable Package
CVE-2024-45296	Npm-path-to-regexp-1.7.0	details Recommended version: 1.9.0 Description: The path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be explo... Attack Vector: NETWORK Attack Complexity: LOW `ID: MDzjVt2Me%2BOz4a0bnXKJUf%2FkCv4%2BvLq790f3ReyxSNk%3D` Vulnerable Package
CVE-2024-45590	Npm-body-parser-1.15.2	details Recommended version: 1.20.3 Description: The body-parser is Node.js body parsing middleware. The body-parser package versions prior to 1.20.3 and 2.0.x prior to 2.0.0 are vulnerable to Den... Attack Vector: NETWORK Attack Complexity: LOW `ID: Cl63a%2BUslmH%2F%2B3ZGbMf2hVM5DBTW5FZigY%2BmjkOgAEk%3D` Vulnerable Package
CVE-2024-52798	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW `ID: CLHHjxh%2FrGsvEjqSuKWw7TFOjEy7RxhAhpWdd%2FWToD0%3D` Vulnerable Package
Cx0b414307-5d4b	Npm-lodash-4.17.4	details Recommended version: 4.17.21 Description: Prototype Pollution vulnerability in lodash before 4.17.19. Attack Vector: NETWORK Attack Complexity: LOW `ID: fh8lldcSaF9hc9XM3XPy00ilrtIb1pY4y6ta1IZQKbo%3D` Vulnerable Package
Cx0b414307-5d4b	Npm-lodash-3.7.0	details Recommended version: 4.17.21 Description: Prototype Pollution vulnerability in lodash before 4.17.19. Attack Vector: NETWORK Attack Complexity: LOW `ID: HJTHXJlKPe6nqw3ZRDO1HaNx8HkL%2FaKCksVco2YyUf0%3D` Vulnerable Package
Cx0b414307-5d4b	Npm-lodash-1.0.2	details Recommended version: 4.17.21 Description: Prototype Pollution vulnerability in lodash before 4.17.19. Attack Vector: NETWORK Attack Complexity: LOW `ID: ZlYj8YeZ8f7XiYKQ0M4Q6MYBVDa3PQO8LQ8hz3xmUqs%3D` Vulnerable Package
Cx17c4a5a4-deb7	Npm-diff-3.2.0	details Recommended version: 3.5.0 Description: A vulnerability was found in diff versions 2.1.0 through 3.4.0. The affected versions of this package are vulnerable to Regular Expression Denial o... Attack Vector: NETWORK Attack Complexity: HIGH `ID: BcBaulcjyHMwq0uIob8fiKelafumx8St4%2FApBkB%2F6U8%3D` Vulnerable Package
Cx28d8d81d-c124	Npm-stringstream-0.0.5	details Recommended version: 0.0.6 Description: Stringstream is vulnerable to uninitialized buffer allocation. It allows to extract sensitive data from uninitialized memory or to cause a Denial o... Attack Vector: NETWORK Attack Complexity: LOW `ID: KrWvrQM5vGKpAPKM%2BPFuyEGZhdccmzPzgHZm1rVoxq8%3D` Vulnerable Package
Cx2d55b83a-7aa0	Npm-braces-1.8.5	details Recommended version: 3.0.3 Description: Braces is vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular ex... Attack Vector: NETWORK Attack Complexity: LOW `ID: Wl%2FAER1b91Dj8gfpMINiaGSthufqgXchvYu1SmJyY1g%3D` Vulnerable Package

More results are available on the CxOne platform

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

dependabot bot added the dependencies This pull request has dependencies. label Jan 9, 2023

dependabot bot force-pushed the dependabot/npm_and_yarn/dev-playground/lodash-4.17.21 branch from 80ba822 to 94c9cf2 Compare January 9, 2023 17:50

dependabot bot force-pushed the dependabot/npm_and_yarn/dev-playground/lodash-4.17.21 branch from 94c9cf2 to d56b3ab Compare November 6, 2025 17:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump lodash from 4.17.2 to 4.17.21 in /dev-playground #2

Bump lodash from 4.17.2 to 4.17.21 in /dev-playground #2

Uh oh!

dependabot bot commented on behalf of github Jan 9, 2023 •

edited

Loading

Uh oh!

ImagineBuildBot commented Jan 9, 2023

Uh oh!

ImagineBuildBot commented Jan 9, 2023 •

edited

Loading

Uh oh!

ghost commented Nov 6, 2025

Uh oh!

thomas-hayden commented Nov 6, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Bump lodash from 4.17.2 to 4.17.21 in /dev-playground #2

Are you sure you want to change the base?

Bump lodash from 4.17.2 to 4.17.21 in /dev-playground #2

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 9, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ImagineBuildBot commented Jan 9, 2023

Uh oh!

ImagineBuildBot commented Jan 9, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Cx-SAST Summary

Violation Summary

Cx-SAST Details

Uh oh!

ghost commented Nov 6, 2025

Uh oh!

thomas-hayden commented Nov 6, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

dependabot bot commented on behalf of github Jan 9, 2023 •

edited

Loading

ImagineBuildBot commented Jan 9, 2023 •

edited

Loading