The latest release of httpntlm has a dependency on underscore@~1.12.1. This pulls in the latest patch version of underscore@1.12, but not the latest version of underscore@^1. This results in CVE-2026-27601 being found in underscore (which is fixed in underscore version 1.13.8)
Could httpntlm update it's dependency to be on underscore@^1.13.8? I'll submit a PR
The workaround would be for users to add an override in their package.json
The latest release of
httpntlmhas a dependency onunderscore@~1.12.1. This pulls in the latest patch version ofunderscore@1.12, but not the latest version ofunderscore@^1. This results in CVE-2026-27601 being found in underscore (which is fixed in underscore version 1.13.8)Could
httpntlmupdate it's dependency to be onunderscore@^1.13.8? I'll submit a PRThe workaround would be for users to add an override in their
package.json