Closed MarcAbonce-Vidado closed 2 years ago
Seeing this still needs to be pulled in. Any maintainers up for it?
Would like to see this merged... it's flagged as a critical severity by dependabot, which means any repository referencing gulp-footer also has a critical severity alert. gulp-header has been updated to use this release of lodash.template, so I don't understand why gulp-footer hasn't.
Why is there resistance to advancing a dependency to a later release? Even if the CVE isn't a concern in terms of how the dependency is used, is there something about lodash.template@3.6.2
that makes it better than 4.5.0?
In addition to the CVE popping up all over the place, the lodash modular packages are not intended to be used anymore, and its recommended that you switch over to the main lodash package instead: https://lodash.com/per-method-packages
@tracker1 any thoughts on this?
@walliski should probably switch to use the lodash
as the dependency and lodash/template
as the direct import.
@bradchoate - Going to merge this, and open an issue to change the dependency to lodash
and the import later.
Thanks @tracker1, much appreciated! 🎉
Could we get a new release also 🤔 ?
@walliski going to add a github workflow to deal with publishing shortly...
This should patch the vulnerability documented in CVE-2019-10744.