ember-cli is using a lodash function with a known security vulnerability. The vulnerability is not new, but due to how lodash used to publish functions individually as well as the entire 'lodash' package, it seems auto-scanning security systems were not picking up the issue until just recently.

There is already a proposed fix here:

Hopefully we can get this patch into all ember-cli versions with security support (back to 4.12 right now I think).

Thanks!

@kellyselden what do you think about getting this in?

This is released now, see this comment for more info: #10458 (comment)