Hi,
Our clone of the nopCommerce repository has Dependabot Alerts enabled and is reporting a number of issues. You can enable the feature here - https://github.com/nopSolutions/nopCommerce/settings/security_analysis
There are 16 issues reported with the following severities
2 Critical
5 High
9 moderate
An example of a critical alert is:
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.12 or later.
It has also automatically created Pull Requests to fix a number of them but we prefer not to modify the nopSolutions core code if we can avoid it.
Are you able to have a look at the alerts and advise if you are able to remediate them? I am hoping they will be simple for you to fix.
Thanks