在 Lodash 中获取命令注入

Question

最近，我的安全扫描面临以下漏洞

安全扫描结果

Explanation: The `lodash` package is vulnerable to Command Injection. The `template` function in the `lodash.js` and `template.js` files does not properly ensure the `variable` property of the `options` parameter to be a valid EcmaScript. An attacker can exploit this vulnerability by passing a template with malicious JavaScript in it to the affected function. This will result in Remote Code Execution.

注意：此漏洞是由于对 CVE-2021-23337 的修复不充分。

检测：使用该组件的应用程序易受攻击。

建议：此组件/包没有非易受攻击的升级路径。 我们建议调查替代成分或潜在的缓解控制。

当我运行 npm audit 时，我看到这是漏洞。虽然，我的所有包都在 Package.Json 文件中更新，但我仍然收到此错误

NPM审计结果：

{
 High    Command Injection in lodash                     
 Package loadash
 Patched in      >=4.17.21
 Dependency ofgrunt-maven-deploy [dev]
  Path            grunt-maven-deploy >     grunt > grunt-legacy-log >               
              grunt-legacy-log-utils > lodash                               
More info       https://github.com/advisories/GHSA-35jh-r3h4-6jhm  


    
High    Command Injection in lodash                                                                
Patched in      >=4.17.21                                                     
Dependency of   grunt-maven-deploy [dev] 
Path            grunt-maven-deploy > grunt > grunt-legacy-log > lodash     
More info       https://github.com/advisories/GHSA-35jh-r3h4-6jhm   
}

“Package.json”
{
“Grunt” : “1.4.1”
“Grunt-cli”: “1.4.3”
“Grunt-maven-deploy” :”0.2.1”
“Grunt-run”: “0.8.1”
“Grunt-tslint”: “5.0.2”
}

有人可以解释并帮助我解决这个问题吗

谢谢