Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: update lodash/lodash-es to fix CVEs flagged in 4.17.20 (#1334)
4.17.20 is flagged as being vulnerable to: - CVE-2021-23337 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. - CVE-2020-28500 Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. See - https://www.openhub.net/p/lodash/security?filter%5Bmajor_version%5D=&filter%5Bperiod%5D=1&filter%5Bversion%5D=3409002148&filter%5Bseverity%5D= Bumping to 4.17.21 for both lodash and lodash-es. Previously the pinned versions for both drifted as the Lodash project had not been releasing lodash-es at the same time as lodash. They have resolved the release problems on their side and both are again released in sync.
- Loading branch information