low severity security vulnerability due to outdated lodash dependency

colorjs / get-svg-colors

Extract stroke and fill colors from SVG files

https://npm.im/get-svg-colors

40 stars 16 forks source link

low severity security vulnerability due to outdated lodash dependency #4

Closed ckerr closed 6 years ago

ckerr commented 6 years ago

Found via npm audit in electron apps repo.

Low / Prototype pollution Package: lodash Patched in: >=4.17.5 Dependency of get-image-colors [dev] Path: get-image-colors > get-svg-colors > cheerio > lodash More info: https://nodesecurity.io/advisories/577

Looks like a release which bumped cheerio requirement to >= 1.0.0-rc.1 + bumping get-svg-colors' own lodash requirement would resolve this.

zeke commented 6 years ago

Thanks!

zeke commented 6 years ago

I just installed @dependabot on this repo. Let's see if we get a lodash PR soon...

zeke commented 6 years ago

This should be resolved by https://github.com/colorjs/get-svg-colors/pull/6 and https://github.com/colorjs/get-svg-colors/pull/9, but the semantic release failed.

I opened an issue here: https://github.com/semantic-release/semantic-release/issues/962

zeke commented 6 years ago

New version 1.5.1 released! Updating get-image-colors now.