Closed kaiyoma closed 4 years ago
This project is currently hard-coding an older version of lodash:
"dependencies": { "bluebird": "3.7.1", "debug": "4.1.1", "lodash": "4.17.15" },
This version of lodash has a known security issue. If you run yarn audit in any project that pulls in cypress-webpack-preprocessor, you'll get this:
yarn audit
┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.17.19 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @cypress/webpack-preprocessor │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @cypress/webpack-preprocessor > lodash │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1523 │ └───────────────┴──────────────────────────────────────────────────────────────┘
How come the version is being manually specified? Why not use caret notation to avoid issues like this?
Closed in https://github.com/cypress-io/cypress-webpack-preprocessor/pull/101
jennifer-shehane
commented
4 years ago jennifer-shehane
commented
4 years ago
This project is currently hard-coding an older version of lodash:
This version of lodash has a known security issue. If you run
yarn auditin any project that pulls in cypress-webpack-preprocessor, you'll get this:How come the version is being manually specified? Why not use caret notation to avoid issues like this?