Critical security alert: lodash.merge
drewwmercer opened this issue · comments
Drew W Mercer commented
Dependabot cannot update to the required version
lodash.merge vulnerability found in package-lock.json on Jul 10
Remediation: Upgrade lodash.merge to version 4.6.2 or later.
For example:
"dependencies": {
"lodash.merge": ">=4.6.2"
}
or…
"devDependencies": {
"lodash.merge": ">=4.6.2"
}
Details: CVE-2019-10744
critical severity
Vulnerable versions: < 4.6.2
Patched version: 4.6.2
Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Drew W Mercer commented
@achakavarti can you check this out?
Drew W Mercer commented
Latest version is 4.6.2