Hi team,
After updating Wappler to v7.7.6, npm audit reports 2 high severity vulnerabilities:
underscore <=1.13.7
Severity: high
Underscore has unlimited recursion in _.flatten and _.isEqual,
potential for DoS attack
https://github.com/advisories/GHSA-qpx9-hpmf-5gmw
No fix available
node_modules/underscore
jsonpath *
Depends on vulnerable versions of underscore
node_modules/jsonpath
The jsonpath package (v1.3.0) depends on underscore, which has a known high-severity vulnerability with no fix available.
This dependency is used internally by Wappler's objectstructure module for JSONPath queries.
Suggested fix: Replace jsonpath with jsonpath-plus, which is actively maintained, does not depend on underscore, and provides a compatible API.
Would appreciate if the Wappler team could evaluate this and update the dependency in a future release. Happy to provide more details if needed.
Reference: https://github.com/advisories/GHSA-qpx9-hpmf-5gmw