-
-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Vulnerable Underscore.js 1.8.3 #7358
Comments
Thanks for reporting. Additionally, As mentioned, we can't fix it, but I currently assess the risk as being tolerable, given that it only affects a small subset of languages, and runs in an already isolated context. Also note that we're working on a new search to replace luns.js and lunr-languages in the near future, tracked in #6307. Other than that, if you have any idea how we can mitigate the situation without starting to patch |
As an additional countermeasure, I've looked at The CVE specifically concerns var acceptors = _.clone(Acceptors);
// ... can be changed to:
var acceptors = {...Acceptors} This would also reduce the payload by several dozen kilobytes. |
Context
No response
Description
Underscore.js 1.8.3, which is included in the built version of MkDocs Material documentation inside file site/assets/javascripts/lunr/wordcut.js, has a known high severity vulnerability (CVE-2021-23358).
Update to [email protected] is required
Related links
Use Cases
This has affect on all users of the project.
Visuals
No response
Before submitting
The text was updated successfully, but these errors were encountered: