npm published version (2.2.2) depends on vulnerable lodash version

carlitoplatanito / gulp-nunjucks-render

[Gulp](https://github.com/wearefractal/gulp) plugin to render [Nunjucks](http://mozilla.github.io/nunjucks/) templates

149 stars 33 forks source link

Closed icydoge2 closed 5 years ago

icydoge2 commented 5 years ago

This seems to have been fixed in https://github.com/carlosl/gulp-nunjucks-render/pull/67 but not tagged for release and published to npm. Due to CVE-2018-3721, please consider republishing this package with the updated lodash.

max-ci commented 5 years ago

Hey @carlosl any news on this?

kevinmpowell commented 5 years ago

@carlosl I'd love to see this released to npm as well. Anything I can do to make this happen?

kevinmpowell commented 5 years ago

Update: I've reached out to @carlosl via twitter, but have not received a response. I fear this project may no longer be maintained.

kevinmpowell commented 5 years ago

@kristijanhusak you've contributed to this project quite a bit. Any insights on the current state of the project?

kristijanhusak commented 5 years ago

@kevinmpowell i haven't used it for a lot of time (~2 years minimum). I'll publish new version on Monday.

kristijanhusak commented 5 years ago

New version is out (v2.2.3) with the lodash update.