Closed shibukawa closed 5 years ago
Found there is some suspicion even in 4.17.5:
There is a 4.17.10 version https://www.npmjs.com/package/lodash
npm audit
says >= 4.17.5
:
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-plugin-transform-define [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ babel-plugin-transform-define > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 59560 scanned packages
1 vulnerability requires manual review. See the full report for details.
Would be great to get this fixed.
Fixed in PR #52
Could this PR be merged?
https://snyk.io/vuln/npm:lodash:20180130
babel-plugin-transform-define uses 4.17.4 strictly. Could you update to 4.17.5?