Report
We've recently added an OWASP vulnerability analysis step to our CI pipelines using DependencyCheck, and it reported two known vulnerabilities in some dependencies of Apollo. Looks like they are related to the JS components so please let me know if there is a better repo to report this to.
- Lodash (4.17.20) found in
Pods/Apollo/scripts/apollo/node_modules/lodash/package.json CVE-2020-28500, CVE-2021-23337
- jQuery (2.1.1) found in
Pods/Apollo/scripts/apollo/node_modules/await-to-js/dist/docs/assets/js/main.js CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023
I found a similar issue that was raised in the past here #439
Would it be possible to bump versions for those dependencies so they are not flagged? I'm not a JS expert so not sure how much effort it would be.
Versions
apollo-ios SDK version: 0.42.0dependency-check version: 6.0.5
Steps to reproduce
- Pod install
- Build workspace in Xcode
- Run
dependency-check
Report
We've recently added an OWASP vulnerability analysis step to our CI pipelines using DependencyCheck, and it reported two known vulnerabilities in some dependencies of Apollo. Looks like they are related to the JS components so please let me know if there is a better repo to report this to.
Pods/Apollo/scripts/apollo/node_modules/lodash/package.jsonCVE-2020-28500, CVE-2021-23337Pods/Apollo/scripts/apollo/node_modules/await-to-js/dist/docs/assets/js/main.jsCVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023I found a similar issue that was raised in the past here #439
Would it be possible to bump versions for those dependencies so they are not flagged? I'm not a JS expert so not sure how much effort it would be.
Versions
apollo-iosSDK version: 0.42.0dependency-checkversion: 6.0.5Steps to reproduce
dependency-check