Getting vulnerability of underscore module while deploying

[yashtanu]

We are finding issue with the underscore library being add as a dependency for cfenv module while deployment.See the details below

VULNERABILITY INFO
Name: CVE-2021-23358
Library: underscore-1.9.2.tgz
Library Paths: node_modules/cfenv/node_modules/underscore/package.json
Severity: HIGH
Description: The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

TOP FIX
Fix Resolution: underscore - 1.12.1,1.13.0-2
Message: Upgrade to version

Any help would be appreciated

[pmuellr]

I have a PR to update some of the dependencies, including underscore, here: PR #48 . Still have some work to do on it.

If it's any consolation, cfenv does not use the underscore template method, so you should be safe.

[pmuellr]

I've closed PR #48, and opened PR #50 for this instead. Should be ready to go. An npm audit of the production deps seems clean. I'll wait a bit to merge to see if anyone else wants to verify the new versions.

[pmuellr]

PR #50 has been merged, and version 1.2.4 has been published at npm.