From 6f2779ecfc89519d02b8997294d9ced1dc5807ec Mon Sep 17 00:00:00 2001 From: Felix Kenton Date: Sun, 31 Jan 2021 22:45:49 +0000 Subject: [PATCH 1/2] Bump lodash dependency to >=4.17.19 This addresses numerous security vulnerabilities present in the previous requirement of "^2.4.1": * CVE-2018-3721 * CVE-2018-16487 * CVE-2019-10744 * CVE-2019-1010266 * CVE-2020-8203 The change to a ">=" dependency version is intended to allow users of this package to update lodash to address security vulnerabilities more easily in future, even if they *may* run into incompatibilities due to breaking changes, as this package doesn't appear to get updated regularly. --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 4759570..98b4a8b 100644 --- a/package.json +++ b/package.json @@ -43,7 +43,7 @@ "gruntplugin" ], "dependencies": { - "lodash": "^2.4.1", + "lodash": ">=4.17.19", "moment": "^2.9.0", "slash": "^1.0.0" } From bf084a97a8738603ebf90dfefed72c55e69c850b Mon Sep 17 00:00:00 2001 From: Felix Kenton Date: Sun, 31 Jan 2021 22:47:03 +0000 Subject: [PATCH 2/2] Change _.contains to _.includes This is required due to a breaking change in the upgrade from lodash 3.x to 4.x. --- tasks/assets_versioning.js | 2 +- tasks/versioners/abstractVersioner.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/assets_versioning.js b/tasks/assets_versioning.js index 2810878..9eb5346 100755 --- a/tasks/assets_versioning.js +++ b/tasks/assets_versioning.js @@ -41,7 +41,7 @@ module.exports = function(grunt) { runTask: true }); - if (!_.contains(['hash', 'date'], options.tag)) { + if (!_.includes(['hash', 'date'], options.tag)) { grunt.fail.warn('Invalid argument : options.tag should be equal to date or hash', 1); } diff --git a/tasks/versioners/abstractVersioner.js b/tasks/versioners/abstractVersioner.js index 13b82ea..60ea10b 100644 --- a/tasks/versioners/abstractVersioner.js +++ b/tasks/versioners/abstractVersioner.js @@ -188,7 +188,7 @@ AbstractVersioner.prototype.createPreVersioningSurrogateTask = function (task) { // push to the map of versions var versionedPath = destFilePath.replace(this.options.versionsMapTrimPath, ''); - if (_.contains(allVersionedPath, versionedPath)) { + if (_.includes(allVersionedPath, versionedPath)) { grunt.fail.warn("Duplicate versioned path detected: '" + versionedPath +"'."); } else { allVersionedPath.push(versionedPath);