httpntlm pulls in underscore version ~1.12.1, which results in CVE-2026-27601 #112
Description
The latest release of httpntlm has a dependency on underscore@~1.12.1. This pulls in the latest patch version of underscore@1.12, but not the latest version of underscore@^1. This results in CVE-2026-27601 being found in underscore (which is fixed in underscore version 1.13.8)
Could httpntlm update it's dependency to be on underscore@^1.13.8? I'll submit a PR
The workaround would be for users to add an override in their package.json