Update lodash@4.17.11 and debug@4.0.1 on the latest legacy version of this package @3.0.7 to deal with current snyk vulnerabilities in lodash@4.17.11 and debug@4.1.1

isocroft commented 2 years ago

This feature request does not introduce breaking changes since the lodash version update is only on the patch version (4.17.11 -> 4.17.21). It also requests a change of version of debug@4.0.1 to debug@4.1.1 to match the version in @adonisjs/framework and @adonisjs/lucid

Why this feature is required (specific use-cases will be appreciated)?

It will mitigate the current vulnerabilities delineated by Synk depicted here for the lodash library as the deadline for maintaining the legacy version of AdonisJS 4.1 is fast approaching (31st, December, 2021).

targos commented 2 years ago

The dependencies are defined with ^x.y.z, which defines semver ranges compatible with the latest versions of lodash and debug. You can safely update the dependencies of your project without changes in this repository.

RomainLanz commented 2 years ago

Closing since no answer from issue reporter.

adonisjs / auth

Update lodash@4.17.11 and debug@4.0.1 on the latest legacy version of this package @3.0.7 to deal with current snyk vulnerabilities in lodash@4.17.11 and debug@4.1.1 #188

Why this feature is required (specific use-cases will be appreciated)?