Skip to content
This repository has been archived by the owner on Sep 14, 2022. It is now read-only.

Update lodash to 5.17.11 to resolve node vulnerability audit #579

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update lodash to 5.17.11 to resolve node vulnerability audit #579

wants to merge 1 commit into from

Conversation

joeyjmorales
Copy link

No description provided.

@joeyjmorales joeyjmorales mentioned this pull request Jan 8, 2019
Open
@WebbizAdmin
Copy link

Why this is not merged??

@aifrim
Copy link

aifrim commented Feb 28, 2019

@WebbizAdmin tests fail

@andyedwardsibm
Copy link

#570 might be relevant. According to that, work is happening to bring the project back to life, so things like the failing Travis and these PRs might get addressed.

Tristramg added a commit to CodeursenLiberte/etherpad-lite that referenced this pull request Apr 16, 2019
@Tristramg
Fix a few vulnerabilities
fc00a50 
Two can not be fixed yet:
- swagger-api/swagger-node#579
- nodejs/node-gyp#1718
@Tristramg Tristramg mentioned this pull request Apr 16, 2019
Closed
@DeeDeeG
Copy link

DeeDeeG commented Oct 15, 2019

This is a very tiny PR that could help users of this package stay secure.

I use this swagger node package and would appreciate the patch to newer lodash.

Maintainers, if the various audit security errors were patched and a very small maintenance release were pushed I think existing users would greatly appreciate it. (I know I would!)

(Incidentally PR name is slightly off, the major version for lodash is 4.x, rather than 5.x)

@DeeDeeG
Copy link

DeeDeeG commented Oct 15, 2019

Actually this PR isn't strictly necessary. On master branch, this package already depends on lodash "^4.17.2".

That means "greater than (or equal to) 4.17.2, but also less than 5.x"

If there were a new release of this package based off of the master branch, it would allow users to get up-to-date lodash, since the latest lodash (4.17.15 at the moment) is still in the 4.x series.

The fix that would be more meaningful would be for there to be a new release of this package.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@joeyjmorales @WebbizAdmin @aifrim @andyedwardsibm @DeeDeeG