Skip to content
This repository has been archived by the owner on Dec 27, 2023. It is now read-only.

Security | Critical vulnerability in lodash@4.17.19 #650

Open
sforsberg opened this issue Oct 14, 2021 · 0 comments · May be fixed by #651
Open

Security | Critical vulnerability in lodash@4.17.19 #650

sforsberg opened this issue Oct 14, 2021 · 0 comments · May be fixed by #651
Assignees
Labels
dependencies Pull requests that update a dependency file

Comments

@sforsberg
Copy link
Contributor

sforsberg commented Oct 14, 2021

Our dependency-check has notified us that the version of lodash@4.17.19 has a CRITICAL security vulnerability that should no longer be used and instead upgrade to a patched version of lodash.

From this report: GHSA-35jh-r3h4-6jhm

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

npm ls lodash tree (oc-template-react-compiler):

├─┬ oc-template-react-compiler@5.2.2
...
│ ├── lodash@4.17.19
...

Proposed Solution

Bump the version of lodash to the patched version 4.17.21.

Optionally, can we use a minor semver ^4.17.21 to keep this up to date without a release?

@sforsberg sforsberg added the dependencies Pull requests that update a dependency file label Oct 14, 2021
@sforsberg sforsberg self-assigned this Oct 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant