Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@carbon/react uses [email protected] which has security issues #18097

Closed
k02pradeep opened this issue Nov 18, 2024 · 5 comments · Fixed by #18167
Closed

@carbon/react uses [email protected] which has security issues #18097

k02pradeep opened this issue Nov 18, 2024 · 5 comments · Fixed by #18167
Assignees
@guidari
Labels
severity: 1 https://ibm.biz/carbon-severity

Comments

@k02pradeep
Copy link

k02pradeep commented Nov 18, 2024
edited
Loading

Summary
@carbon/react uses [email protected] which has security issues

Details
Criticial and High priority security issues
GHSA-jf85-cpcp-j695 (BDSA-2019-2112)
GHSA-p6mc-m468-83gw (BDSA-2020-1674)
GHSA-35jh-r3h4-6jhm (BDSA-2021-0392)

Impact
Because the dependency of the @carbon/react v1.70.0 has dependency on lodash v4.6.0, we are not to release the product
@k02pradeep k02pradeep changed the title @carbon/react uses lodash 4.6.0 which has security issues @carbon/react uses [email protected] which has security issues Nov 20, 2024
@2nikhiltom 2nikhiltom added severity: 1 https://ibm.biz/carbon-severity severity: 2 https://ibm.biz/carbon-severity and removed severity: 1 https://ibm.biz/carbon-severity labels Nov 20, 2024
@k02pradeep
Copy link
Author

lodash/lodash#5832

@k02pradeep
Copy link
Author

#17731

@guidari guidari self-assigned this Nov 25, 2024
@alisonjoseph alisonjoseph moved this to ⏱ Backlog in Design System Nov 25, 2024
This was referenced Nov 26, 2024
Merged
Merged
@guidari guidari moved this from ⏱ Backlog to ✅ Done in Design System Nov 27, 2024
@guidari guidari closed this as completed by moving to ✅ Done in Design System Nov 27, 2024
@alisonjoseph
Copy link
Member

@k02pradeep This fix should be available in version 1.71.1 of @carbon/react.

@k02pradeep
Copy link
Author

Thank you @carbon/react team

@k02pradeep
Copy link
Author

@alisonjoseph Taking version 1.71.1 of @carbon/react fixes the security issue but has blocker issue with combobox #18145

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guidari guidari

Labels
severity: 1 https://ibm.biz/carbon-severity
Projects
Design System
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: removed lodash.findlast to use JS code guidari/carbon
4 participants
@alisonjoseph @k02pradeep @guidari @2nikhiltom