We currently support the following versions of Underscore with security updates:
- the latest commit on the
masterbranch (published as "edge" on the project website); - the 1.x release tagged as latest on npm;
- any release tagged as preview on npm, if present.
Please report security issues by sending an email to dev@juliangonggrijp.com and jashkenas@gmail.com.
Do not submit an issue ticket or pull request or otherwise publicly disclose the issue.
After receiving your email, we will respond as soon as possible and indicate what we plan to do.
template allows the user to inject arbitrary JavaScript
code in the template string. This is allowed by design. In fact, it is
the main feature of template. Without this feature, templates would
not be able to have conditional or repeated sections.
Because of this feature, it is the responsibility of the user not to
pass any untrusted input to template. The contract is similar to
that of the Function constructor or even eval: this function is so
powerful that it can be dangerous, so users must only pass trusted input. This is made explicit in the documentation.
If this does not sound exactly like what you were considering to
report, or in case of doubt, please do send us a report. Of course, we
would rather be safe than sorry. You would not be the first to find a
vulnerability in template.
After confirming a vulnerability, we will generally release a security update as soon as possible, including the minimum amount of information required for software maintainers and system administrators to assess the urgency of the update for their particular situation.
We postpone the publication of any further details such as code comments, tests, commit history and diffs, in order to enable a substantial share of the users to install the security fix before this time.
Upon publication of full details, we will credit the reporter if the reporter wishes to be publicly identified.