zdfowler
commented
3 years ago Seeing this still needs to be pulled in. Any maintainers up for it?
Closed MarcAbonce-Vidado closed 2 years ago
zdfowler
commented
3 years ago Seeing this still needs to be pulled in. Any maintainers up for it?
bradchoate
commented
3 years ago Would like to see this merged... it's flagged as a critical severity by dependabot, which means any repository referencing gulp-footer also has a critical severity alert. gulp-header has been updated to use this release of lodash.template, so I don't understand why gulp-footer hasn't.
bradchoate
commented
3 years ago Why is there resistance to advancing a dependency to a later release? Even if the CVE isn't a concern in terms of how the dependency is used, is there something about lodash.template@3.6.2 that makes it better than 4.5.0?
walliski
commented
2 years ago In addition to the CVE popping up all over the place, the lodash modular packages are not intended to be used anymore, and its recommended that you switch over to the main lodash package instead: https://lodash.com/per-method-packages
@tracker1 any thoughts on this?
tracker1
commented
2 years ago @walliski should probably switch to use the lodash as the dependency and lodash/template as the direct import.
tracker1
commented
2 years ago @bradchoate - Going to merge this, and open an issue to change the dependency to lodash and the import later.
walliski
commented
2 years ago Thanks @tracker1, much appreciated! 🎉
Could we get a new release also 🤔 ?
tracker1
commented
2 years ago @walliski going to add a github workflow to deal with publishing shortly...
This should patch the vulnerability documented in CVE-2019-10744.