low severity security vulnerability due to outdated lodash dependency

Question

low severity security vulnerability due to outdated lodash dependency

ckerr opened this issue 6 years ago · comments

Found via npm audit in electron apps repo.

Low / Prototype pollution
Package: lodash
Patched in: >=4.17.5
Dependency of get-image-colors [dev]
Path: get-image-colors > get-svg-colors > cheerio > lodash
More info: https://nodesecurity.io/advisories/577

Looks like a release which bumped cheerio requirement to >= 1.0.0-rc.1 + bumping get-svg-colors' own lodash requirement would resolve this.

Zeke Sikelianos commented 6 years ago

Thanks!

Zeke Sikelianos · Answer 1 · Tue Oct 23 2018 11:35:48 GMT+0800 (China Standard Time)

I just installed @dependabot on this repo. Let's see if we get a lodash PR soon...

Zeke Sikelianos · Answer 2 · Tue Oct 23 2018 12:23:40 GMT+0800 (China Standard Time)

This should be resolved by #6 and #9, but the semantic release failed.

I opened an issue here: semantic-release/semantic-release#962

Zeke Sikelianos · Answer 3 · Fri Oct 26 2018 00:24:37 GMT+0800 (China Standard Time)

New version 1.5.1 released! Updating get-image-colors now.