Vulnerabilities

DepShield reports that this application's usage of lodash._cacheindexof:3.0.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._cacheindexof:3.0.2 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash._cacheindexof:3.0.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash._baseindexof:3.1.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._baseindexof:3.1.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash._baseindexof:3.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

did a first try using about:debugging as explained on https://developer.mozilla.org/fr/docs/Mozilla/Add-ons/WebExtensions/Your_first_WebExtension

got issues with:

• "declarativeContent" permission: https://stackoverflow.com/questions/39252384/is-there-a-ff-equivalent-to-chrome-declarativecontent-onpagechanged
• "background": https://developer.mozilla.org/fr/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#Compatibilit%C3%A9_du_navigateur
• "options_page": deprecated, replaced with "options_ui" https://developer.mozilla.org/fr/docs/Mozilla/Add-ons/WebExtensions/manifest.json/options_page

Vulnerabilities

DepShield reports that this application's usage of lodash.sortby:4.7.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.sortby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

• jest:24.5.0
        └─ jest-cli:24.5.0
              └─ jest-config:24.5.0
                    └─ jest-environment-jsdom:24.5.0
                          └─ jsdom:11.12.0
                                └─ data-urls:1.1.0
                                      └─ whatwg-url:7.0.0
                                            └─ lodash.sortby:4.7.0
                                └─ whatwg-url:6.5.0
                                      └─ lodash.sortby:4.7.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.uniq:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.uniq:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/github:5.5.5
              └─ @octokit/rest:16.35.2
                    └─ lodash.uniq:4.5.0
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash.uniq:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of q:1.5.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

q:1.5.1 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/commit-analyzer:6.3.3
              └─ conventional-changelog-angular:5.0.6
                    └─ q:1.5.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.defaults:4.2.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.defaults:4.2.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release-chrome:1.1.3
        └─ archiver:3.0.0
              └─ archiver-utils:2.1.0
                    └─ lodash.defaults:4.2.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Report found here https://crxcavator.io/report/mjehedmoboadebjmbmobpedkdgenmlhd/1.7.16

• Permissions: :///*, cookies, webRequest, tabs, storage, background, webRequestBlocking, activeTab

Vulnerabilities

DepShield reports that this application's usage of lodash.isplainobject:4.0.6 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.isplainobject:4.0.6 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/github:5.5.5
              └─ issue-parser:5.0.0
                    └─ lodash.isplainobject:4.0.6

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of mem:1.1.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

mem:1.1.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ libnpx:10.2.0
                          └─ yargs:11.0.0
                                └─ os-locale:2.1.0
                                      └─ mem:1.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

without this test opportunity in the options page, testing that the url and the credentials are ok is really cumbersome

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• jest:24.5.0
        └─ jest-cli:24.5.0
              └─ @jest/core:24.5.0
                    └─ micromatch:3.1.10
                          └─ extglob:2.0.4
                                └─ expand-brackets:2.1.4
                                      └─ debug:2.6.9
                          └─ snapdragon:0.8.2
                                └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.restparam:3.6.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.restparam:3.6.1 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash.restparam:3.6.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

When loading the plugin, you get an error "Browser is not defined"

When you upgrade to 83, the version history is not displayed. You will get a blank screen or a wait cursor. The reason is that in 83 the versions are now inside of a new tag "allVersions"

Vulnerabilities

DepShield reports that this application's usage of lodash.toarray:4.4.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.toarray:4.4.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ marked-terminal:3.3.0
              └─ node-emoji:1.10.0
                    └─ lodash.toarray:4.4.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

When trying to connect the chrome plugin to iq-server instance, we get a 402 error (Payment Required). Note that we use a valid IQ-server Lifecycle licence and that we could connect the jenkins plugin with no error.

This happens right after setting login credentials on the plugin settings page. We got a 'Login successful when clicking on 'Login' button but we cannot select any application.

Vulnerabilities

DepShield reports that this application's usage of lodash.clonedeep:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.clonedeep:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ libnpm:3.0.1
                          └─ libnpmpublish:1.1.2
                                └─ lodash.clonedeep:4.5.0
                    └─ lodash.clonedeep:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Currently the extension has to be installed in developer mode. We would prefer the extension to be published in the Chrome Extension store. This would allow the extension to be installed like any other extension.

Vulnerabilities

DepShield reports that this application's usage of lodash.escaperegexp:4.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.escaperegexp:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/github:5.5.5
              └─ issue-parser:5.0.0
                    └─ lodash.escaperegexp:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The new Search.Maven.Org website uses ajax to rewrite the content of the page when you choose a different version. This does not rewrite the URL. So you have a different version in the URL from the body of the document. So my plugin picks up the wrong version. It reads the data from the URL first before I pick the data from the body. So you will get the data for the URL not from the body of the Ajax panel.
Probably never fix. Just navigate to the true URL using the top selector and search and not the sub search drop box.
e.g.
https://search.maven.org/artifact/io.springfox/springfox-swagger-ui/2.6.1/jar

Vulnerabilities

DepShield reports that this application's usage of lodash._root:3.0.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._root:3.0.1 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash._baseuniq:4.6.0
                          └─ lodash._root:3.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/github:5.5.5
              └─ @octokit/rest:16.35.2
                    └─ lodash.get:4.4.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.flatten:4.4.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.flatten:4.4.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release-chrome:1.1.3
        └─ archiver:3.0.0
              └─ archiver-utils:2.1.0
                    └─ lodash.flatten:4.4.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

https://crxcavator.io/report/mjehedmoboadebjmbmobpedkdgenmlhd/1.7.16
RetireJS Vulnerability Scan
Scripts/jquery-ui-1.12.1/external/jquery/jquery.js
MediumparseHTML() executes scripts in event handlers
jquery v1.12.4
Medium3rd party CORS request may execute
jquery v1.12.4
Scripts/jquery-3.3.1.min.js
LowjQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
jquery v3.3.1.min

When the plugin executes npm shrinkwrap, the package-lock.json file in the project is renamed to npm-shrinkwrap.json. That causes inconveniences to our build pipeline.
In your future release, would you consider keeping the package-lock.json file?

The preferred behaviour of the plugin would be not changing the original files in my project.

Analyse the artifact / library currently being visited without the need of clicking on the extension icon and update the icon based on the analysis.

We can perhaps have some sort of a green flag / indicator when the artifact is healthy or a red otherwise.

If you are logged in to NexusIQ and then launch the Chrome Extension, the NexusIQ session is terminated.

Vulnerabilities

DepShield reports that this application's usage of lodash.difference:4.5.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.difference:4.5.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release-chrome:1.1.3
        └─ archiver:3.0.0
              └─ archiver-utils:2.1.0
                    └─ lodash.difference:4.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

might be nice and more community friendly if we could redirect all request to OSSIndex if an IQ Server hasn't been configured.

Vulnerabilities

DepShield reports that this application's usage of lodash._getnative:3.9.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._getnative:3.9.1 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash._createcache:3.1.2
                          └─ lodash._getnative:3.9.1
                    └─ lodash._getnative:3.9.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Sometime when you run the plugin on a page the wait cursor comes up and the response never comes back. You should expect to see a response within a few seconds all things being equal. I have not fully worked out this bug. From what I can gather it is often to do with content refresh not working on the target page. One work around that seems to work most of the time is to refresh the page within the external repository that you are looking at in your browser. This seems to wake up the plugin. I will do some more work to see if I can make a more complete fix.

@ctownshend had a POC where we attempted to install the plugin w/ @lennykean

We installed it from the chrome marketplace and all other functionality with IQ was interfacing fine, but we were getting nothing but a continually spinning hexagon

Was wondering what the best debugging steps are, if there are any logs or network traffic we should look at, or anything like that to determine the root cause of the issue that Lenny could pass over to us

Report found here https://crxcavator.io/report/mjehedmoboadebjmbmobpedkdgenmlhd/1.7.16

• Content Security Policy - excessive permissions. Will need to look in to reducing surface area from CSP. Currently "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

Vulnerabilities

DepShield reports that this application's usage of lodash.set:4.3.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.set:4.3.2 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/github:5.5.5
              └─ @octokit/rest:16.35.2
                    └─ lodash.set:4.3.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

When IQ server is unavailable the Chrome plugin should tell us it is timed out. Currently it is crashing.
Error in event handler: TypeError: Cannot read property '0' of undefined
at renderComponentData (chrome-extension://mcmljcafoblbjfojgkldcpajcohcloee/Scripts/popup.js:253:66)
at createHTML (chrome-extension://mcmljcafoblbjfojgkldcpajcohcloee/Scripts/popup.js:179:13)
at gotMessage (chrome-extension://mcmljcafoblbjfojgkldcpajcohcloee/Scripts/popup.js:141:35)

It would be good to know how many people use the chrome extension and what urls they browse. We need to add the tracking instrumentation to know usage.

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Every time I hit 'login' the list gets bigger here and appends the list of apps to the previously populated list

Vulnerabilities

DepShield reports that this application's usage of handlebars:4.1.2 results in the following vulnerability(s):

• (CVSS 8.2) CWE-20: Improper Input Validation

Occurrences

handlebars:4.1.2 is a transitive dependency introduced by the following direct dependency(s):

• jest:24.8.0
        └─ jest-cli:24.8.0
              └─ @jest/core:24.8.0
                    └─ @jest/reporters:24.8.0
                          └─ istanbul-reports:2.2.6
                                └─ handlebars:4.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.union:4.6.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash.union:4.6.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash.union:4.6.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

When viewing a component and you want to see its remediation and version history, use the version history graph that is in the Component Information Panel (CIP) inside Eclipse IDE.

Vulnerabilities

DepShield reports that this application's usage of lodash._createcache:3.1.2 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._createcache:3.1.2 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash._createcache:3.1.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

If the domain name contains a trailing '/', then the Information Panel will never load. e.g 'https://nexus.prd.systems/'

Message "An error occurred: Invalid cross-site request forgery token" occurs after initial install. If you use the extension a second time the message goes away and works correctly. Still trying to determine the cause and fix.

when browsing https://www.npmjs.com/package/@angular/animations/v/6.1.10 , component name and version are not recognized

The initial release 1.7.5 stores your username and password in plain text in Chrome storage. This is a known issue at this time. We are investigating solutions.

Vulnerabilities

DepShield reports that this application's usage of lodash.uniqby:4.7.0 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.uniqby:4.7.0 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/github:5.5.5
              └─ issue-parser:5.0.0
                    └─ lodash.uniqby:4.7.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash.isstring:4.0.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
• (CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...

Occurrences

lodash.isstring:4.0.1 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/github:5.5.5
              └─ issue-parser:5.0.0
                    └─ lodash.isstring:4.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of lodash._bindcallback:3.0.1 results in the following vulnerability(s):

• (CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)

Occurrences

lodash._bindcallback:3.0.1 is a transitive dependency introduced by the following direct dependency(s):

• semantic-release:15.13.31
        └─ @semantic-release/npm:5.3.4
              └─ npm:6.13.4
                    └─ lodash._bindcallback:3.0.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}