Bump lodash version to avoid security alerts from yarn and github

Question

Bump lodash version to avoid security alerts from yarn and github

damianobarbati opened this issue 5 years ago · comments

It's time to bump lodash version!

Kai Cataldo · Answer 1 · Fri Aug 30 2019 22:49:33 GMT+0800 (China Standard Time)

It doesn’t look like babel-eslintuses lodash directly, so this would need to be updated in the respective package that does.

Brian Ng · Answer 2 · Fri Aug 30 2019 23:13:26 GMT+0800 (China Standard Time)

@damianobarbati may have to update your babel deps (maybe even manually remove entries from lockfile), as latest versions should all use lodash@4.17.13

Ref:
https://unpkg.com/browse/@babel/types@7.5.5/package.json

Huáng Jùnliàng · Answer 3 · Fri Aug 30 2019 23:17:58 GMT+0800 (China Standard Time)

There is a handy tool called yarn-deduplicate which should help you in this case

yarn-deduplicate --packages lodash yarn.lock

Kai Cataldo · Answer 4 · Tue Aug 04 2020 08:10:38 GMT+0800 (China Standard Time)

Thank you for the PR. Now that @babel/eslint-parser has been released, we are making this repository read-only. If this is a change you would still like to advocate for, please reopen this in the babel/babel monorepo.