low severity security vulnerability due to outdated lodash dependency
ckerr opened this issue · comments
Found via npm audit
in electron apps repo.
Low / Prototype pollution
Package: lodash
Patched in: >=4.17.5
Dependency of get-image-colors [dev]
Path: get-image-colors > get-svg-colors > cheerio > lodash
More info: https://nodesecurity.io/advisories/577
Looks like a release which bumped cheerio requirement to >= 1.0.0-rc.1
+ bumping get-svg-colors' own lodash requirement would resolve this.
Thanks!
I just installed @dependabot on this repo. Let's see if we get a lodash PR soon...
This should be resolved by #6 and #9, but the semantic release failed.
I opened an issue here: semantic-release/semantic-release#962
New version 1.5.1 released! Updating get-image-colors
now.