Update lodash to 4.17.21

OpusCapita / filemanager

React based FileManager for browser ( + FS REST API for Node.js and Express)

https://demo.core.dev.opuscapita.com/filemanager/master/?currentComponentName=FileManager&maxContainerWidth=100%25&showSidebar=false

Apache License 2.0

566 stars 122 forks source link

Update lodash to 4.17.21 #315

Closed khomyakdi closed 3 years ago

khomyakdi commented 3 years ago

Please update lodash to 4.17.21 because lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function https://www.npmjs.com/advisories/1673

BilyachenkoOY commented 3 years ago

Are there any particular reason to use fixed package version instead of allowing minor version to be different? This would allow to fix such issues per-project without need to await for a new release of filemanager.

abaliunov-sc commented 3 years ago

This particular reason is breaking changes, which may be in new versions of libraries. For this reason, we use fixed versions of libraries. And before upgrading the library version, we check how this version works in our code.

BilyachenkoOY commented 3 years ago

Do we expect breaking changes in minor version releases of library?

estambakio-sc commented 3 years ago

Do we expect breaking changes in minor version releases of library?

I remember that previously it already happened once with lodash.merge function which started to work differently in a minor version upgrade of lodash, which led to a couple of days investigating why code stopped to work :). Since then we carefully update versions of JS libraries and test UIs on installations before merging such updates.

estambakio-sc commented 3 years ago

Closing as implemented in #317

estambakio-sc commented 3 years ago

Released in 1.1.9