Please help bum lodash to 4.17.21 and upgrade the package version

[yingfangdu]

Hi, We detect two alerts from our product as below. Could you please help us complete the changes to upgrade lodash to 4.17.21 for these packages jsonrpc-websocket-client json-rpc-peer and bump their versions in npm too?

Thanks, Yvonne

Alert 1

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Alert 2

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

[julien-f]

Hi,

I don't understand the issue, json-rpc-peer and jsonrpc-websocket-client requires lodash@^4.17.4, which are compatible with lodash@4.17.21.

npm should use the latest compatible version by default, you don't need any actions from my part on this.

[yingfangdu]

thanks for a quick reply. yes, this is also what I understand.

Let me check our system whether it still fires the alerts for other component that I do the same fix here.

Will reply soon. Thanks very much for your time.