Recently , I am facing below vulnerability on my security scan
Security scan results
Explanation: The `lodash` package is vulnerable to Command Injection. The `template` function in the `lodash.js` and `template.js` files does not properly ensure the `variable` property of the `options` parameter to be a valid EcmaScript. An attacker can exploit this vulnerability by passing a template with malicious JavaScript in it to the affected function. This will result in Remote Code Execution.
Note: This vulnerability is due to an insufficient fix for CVE-2021-23337.
Detection: The application is vulnerable by using this component.
Recommendation: There is no non-vulnerable upgrade path for this component/package. We recommend investigating alternative components or a potential mitigating control.
When I run npm audit, I see this is vulnerabilities.Though , All of my packages are updated in Package.Json file still I am getting this error
NPM audit results:
{
High Command Injection in lodash
Package loadash
Patched in >=4.17.21
Dependency ofgrunt-maven-deploy [dev]
Path grunt-maven-deploy > grunt > grunt-legacy-log >
grunt-legacy-log-utils > lodash
More info https://github.com/advisories/GHSA-35jh-r3h4-6jhm
High Command Injection in lodash
Patched in >=4.17.21
Dependency of grunt-maven-deploy [dev]
Path grunt-maven-deploy > grunt > grunt-legacy-log > lodash
More info https://github.com/advisories/GHSA-35jh-r3h4-6jhm
}
“Package.json”
{
“Grunt” : “1.4.1”
“Grunt-cli”: “1.4.3”
“Grunt-maven-deploy” :”0.2.1”
“Grunt-run”: “0.8.1”
“Grunt-tslint”: “5.0.2”
}
Could someone please explain and help me to resolve this issue
Thanks