Potential lodash vulnerability at 4.17.11
quetzaluz opened this issue · comments
Note: This feels somewhat lower priority because the vulnerable methods in question aren't used, but resolving this can can fix package installation/audit warnings and prevent accidental usage of vulnerable methods:
Similar to #13, lodash requires another upgrade due to a reported vulnerability in the version used in this repo:
- Per https://github.com/lodash/lodash/issues/4348, an upgrade is required to address a recent security vulnerability CVE-2019-10744
- https://github.com/request/promise-core/blob/master/package.json#L36 lists the vulnerable lodash version
Will be able to follow up with a PR to fix this but want to confirm if this upgrade is desired first
Filed this without noticing PR #20 which will resolve this
I just bumped it to ^4.17.15
and will roll it out to the main request-promise
packages shortly.