Skip to content
This repository has been archived by the owner on Dec 27, 2023. It is now read-only.

Security - Bumps lodash@^4.17.21 for critical security patch #651

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

sforsberg
Copy link
Contributor

@sforsberg sforsberg commented Oct 14, 2021

Bumps lodash@^4.17.21 to patch a critical security vulnerability in the current hoisted version 4.17.19.

NOTE: Uses a minor semver to allow lodash to be easily bumped for future minor and patch versions. If this is preferred not to be used, I can revert this to a fixed version.

Resolves: #650

@sforsberg
Copy link
Contributor Author

sforsberg commented Oct 14, 2021

I may actually bump a few other dependencies in particular, most oc-* deps can likely be updated to use a minor semver and async is still pulling in lodash@4.17.19. (Disregard async, async@2.6.3 resolves the lodash vulnerability.)

Any objections to do that?

@sforsberg sforsberg added the dependencies Pull requests that update a dependency file label Oct 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Security | Critical vulnerability in lodash@4.17.19
1 participant