search

gruntjs / grunt-contrib-watch

Run tasks whenever watched files change.
http://gruntjs.com/
MIT License
1.98k stars 356 forks source link

Security vulnerability in lodash@3.10.1 #554

Closed marcysutton closed 6 years ago

marcysutton commented 6 years ago

There is a known security vulnerability in lodash@3x: https://hackerone.com/reports/310443

The severity is low, however grunt-contrib-watch should be updated to the latest lodash version to reduce risk.

gregtyler commented 6 years ago

Looks like this has been fixed on master, just not tagged or deployed to NPM. I've run the tests locally and they all pass so (superficially) it looks ready to go.

@shama Would you be able to take a look at this? (Pinging since I see you did the last tags and recently fixed grunt-legacy-log similarly) Let me know if I can help.

anastasiagryshchenko commented 6 years ago

came in here to report the same issue. it will make a huge difference if you could find time and deploy current master to npm

shama commented 6 years ago

Sorry for the delay, a new version of grunt-contrib-watch@1.0.1 was published with the lodash dependency updated. Thanks!