lodash dependency version security vulnerability

[srihakum]

The current dependency for this repo is lodash version 4.17.10 which is vulnerable to CVE-2018-16487. This needs to be updated to latest version 4.17.11.

Links: https://exchange.xforce.ibmcloud.com/vulnerabilities/156530 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487 https://hackerone.com/reports/380873

[grugknuckle]

+1

After using

npm audit

it returns

=== npm audit security report ===                        

                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             

          Visit https://go.npm.me/audit-guide for additional guidance           

  Moderate        Prototype Pollution                                           

  Package         lodash                                                        

  Patched in      >=4.17.11                                                     

  Dependency of   nforce                                                        

  Path            nforce > lodash                                               

  More info       https://npmjs.com/advisories/782                              

found 1 moderate severity vulnerability in 2723 scanned packages
  1 vulnerability requires manual review. See the full report for details.

But when I run

npm audit fix

it returns

up to date in 9.839s
fixed 0 of 1 vulnerability in 2723 scanned packages
  **1 vulnerability required manual review and could not be updated**

The lodash dependency must be fixed in the nforce package. See the npm advisory

[kevinohara80]

Sorry for the delay in closing this but it's fixed now. Thanks for reporting.