search

Brightspace / serverless-plugin-for-each

Serverless plugin that adds $forEach syntax to reduce code duplication and allow creating dynamic templates
Apache License 2.0
1 stars 5 forks source link

Replace lodash.get and lodash.set #112

Closed throrin19 closed 7 months ago

throrin19 commented 7 months ago

Hello,

It's possible to change lodash.get and lodash.set directly by lodash package ?

Actually we have a highly vulnerability in our project because of your dependency of lodash.set, which hasn't been updated in 8 years

# npm audit report

lodash.set  *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
No fix available
node_modules/lodash.set
  serverless-plugin-for-each  *
  Depends on vulnerable versions of lodash.set
  node_modules/serverless-plugin-for-each

2 high severity vulnerabilities
throrin19 commented 7 months ago

Thanks, Have you planned to deploy the patch on npm?

d2l-github-release-tokens[bot] commented 7 months ago

:tada: This issue has been resolved in version 3.1.2 :tada:

The release is available on:

Your semantic-release bot :package::rocket: