vulnerability with lodash package

[Arsen080995]

[seanmurph]

This module is using lodash on only one line of code which is: https://github.com/jasonsims/aws-cloudfront-sign/blob/b605a0a13f694cc3925bc335bbfeb6a0f76e026b/lib/cloudfrontUtil.js#L32

The fix version is a major update from the 3.x currently. It's worth forking and trying to see if _.extend has any breaking changes or this can update seamlessly.

[adam-azarchs]

This looks like it's fixed in 2.2.1, but https://github.com/jasonsims/aws-cloudfront-sign/issues/64

[jasonsims]

Fixed.

@adam-azarchs 2.2.1 is published now. Sorry, about that! Is there any reason you're not using Class: AWS.CloudFront.Signer? I stopped maintaining this because it seemed like it was added to the aws sdk but if there are still use cases for this library I can keep it updated.

[adam-azarchs]

Tech debt. We're switching things over where we have bandwidth to do so but it hasn't been prioritized. Updating this, however, is something dependabot can do for us without any code changes on our end. Using the official AWS package is probably a better plan in the long run, AWS is, to understate things, big enough that they can fund their own engineering for this kind of package and shouldn't rely on open source volunteer maintainers.

[jasonsims]

Ok, well hopefully this helps! I'll try to spend some time over the weekend cleaning up this repo because it's still getting 70k downloads per week. Seems like it's still useful.