Arbitrary Code Execution in underscore

- https://github.com/cms-DQM/dials/security/dependabot/9

This security issue should be easily fixable by updating underscore version according to dependabot, but underscore is a dependency of `react-bootstrap-table-next` and this [package](https://github.com/react-bootstrap-table/react-bootstrap-table2) is not maintained for more than 4 years.

This package has pinned the version of `underscore` to `1.9.1` as you can see [here](https://github.com/react-bootstrap-table/react-bootstrap-table2/blob/master/package.json#L87), so we can´t just update underscore's version in the dependency tree. Our options to fix this issue are:

- Wait for `react-bootstrap-table-next` to updated (at least have this [PR](https://github.com/react-bootstrap-table/react-bootstrap-table2/pull/1805) merged).
- Locally install `react-bootstrap-table-next` with the underscore bump.
- Refactor the code to get rid of `react-bootstrap-table-next` and use another library for rendering the tables.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Arbitrary Code Execution in underscore #37

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Arbitrary Code Execution in underscore #37

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions