Security vulnerability found for dependency lodash #639
Labels
Comments
|
Working on this right now. Thanks. |
jimthedev
pushed a commit
that referenced
this issue
Jul 17, 2019
* fix(deps): update dependency lodash to v4.17.14 [security] fix #639 * chore(deps): update package-lock.json for lodash v4.17.14
|
🎉 This issue has been resolved in version 3.1.2 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current release has a
lodashdependency set to a fixed version. This version oflodashseems have a high severity security vulnerability.lodashshould be updated to fix the reported vulnerability.CVE-2019-10744
More information
high severity
Vulnerable versions: < 4.17.13
Patched version: 4.17.13
Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
The text was updated successfully, but these errors were encountered: