Snyk security vulnerability due to lodash.template standalone dependency

longshotlabs / js-message-box

A package for defining and getting validation error messages, with support for Meteor Tracker reactivity

MIT License

7 stars 17 forks source link

Snyk security vulnerability due to lodash.template standalone dependency #25

Open m-a-d1 opened 2 years ago

m-a-d1 commented 2 years ago

Snyk reports a security vulnerability for this package because of the dependency on the lodash.template standalone package. You can see the report here: https://security.snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054

However, it doesn't look like lodash is supporting standalone packages anymore: https://lodash.com/per-method-packages and there isn't an updated package with a security patch (besides the core lodash package).

Let me know if more details are needed.

jesusej commented 1 month ago

I think the best approach would be to include the core package and import only the template function like the article recommends.

Screenshot of lodash article which recommends to use core package and only include the functions you want to use

We only would need to check if the changes between 4.5.0 and 4.17.21 could affect the functionality of the template function and do the necessary changes