Skip to content
This repository was archived by the owner on Dec 27, 2023. It is now read-only.

Security - Bumps lodash@^4.17.21 for critical security patch#651

Open
sforsberg wants to merge 1 commit intoopencomponents:masterfrom
sforsberg:sec-lodash-4.17.19
Open

Security - Bumps lodash@^4.17.21 for critical security patch#651
sforsberg wants to merge 1 commit intoopencomponents:masterfrom
sforsberg:sec-lodash-4.17.19

Conversation

@sforsberg
Copy link
Contributor

@sforsberg sforsberg commented Oct 14, 2021
edited
Loading

Bumps lodash@^4.17.21 to patch a critical security vulnerability in the current hoisted version 4.17.19.

NOTE: Uses a minor semver to allow lodash to be easily bumped for future minor and patch versions. If this is preferred not to be used, I can revert this to a fixed version.

Resolves: #650

@sforsberg
Copy link
Contributor Author

sforsberg commented Oct 14, 2021
edited
Loading

I may actually bump a few other dependencies in particular, most oc-* deps can likely be updated to use a minor semver and async is still pulling in lodash@4.17.19. (Disregard async, async@2.6.3 resolves the lodash vulnerability.)

Any objections to do that?

@sforsberg sforsberg added the dependencies Pull requests that update a dependency file label Oct 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@kmcrawford kmcrawford Awaiting requested review from kmcrawford

@matteofigus matteofigus Awaiting requested review from matteofigus

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security | Critical vulnerability in lodash@4.17.19

1 participant

@sforsberg