Arbitrary code execution vulnerability affecting underscore package

[jrpomeroy]

Any hope of getting a fix that replaces nomnom? It's deprecated and depends on a version of underscore that has a high severity vulnerability:

https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

└─┬ jsonlint@1.6.3
  └─┬ nomnom@1.8.1
    └── underscore@1.6.0

[coderextreme]

I am having difficulty building my repos without a good jsonlint, please fix quickly. Thanks!

Simple package.json which will reveal the problem with npm install

$ cat package.json 
{
  "name": "x3dvalidate",
  "version": "1.0.0",
  "private": true,
  "dependencies": {
    "jsonlint": "^1.6.3"
  }
}

[coderextreme]

#120

[sedlakr]

I have analzyed this vulnerability. Underscore is only dev dependency for building jsonlint.js by jison (https://github.com/zaach/jison). It is not used in production code. So I forked repository and created new version and published package under my scope. Look at https://www.npmjs.com/package/@sedlak.r/jsonlint. Hope it will help for someone.

[lrntgt]

My guess is that it would be resolved if we publish again the package on npm as version 1.6.4
This would taken into account the recent commits

[christopherwood]

#141

As noted in the PR, removing package-lock.json lets the package build without the vulnerable dependency.

[doniz]

And why this still remain unsolved? The issue has been created 3 years ago, no progress.