Hi there! I work at ConsenSys on the Truffle tool suite for Ethereum developers. We have a transitive dependency issue I have tracked down to this package. I believe I have a simple fix as described below:
This PR updates the lodash, yargs, and babel dependencies in this project. Lodash version should be greater than 4.5.0 to avoid the "prototype pollution in lodash" critical vulnerability. Yargs should be updated as the old version faces the same lodash issue. Babel has a new package (the deprecated babel-cli relied on an old version of lodash as well), so I have updated to that as well. I ran npm run build successfully after these changes but am uncertain if there is more that can be done from the standpoint of testing.
Thanks for reviewing this, please let me know if there is anything else I can do to get it merged and published!
Hi there! I work at ConsenSys on the Truffle tool suite for Ethereum developers. We have a transitive dependency issue I have tracked down to this package. I believe I have a simple fix as described below:
This PR updates the lodash, yargs, and babel dependencies in this project. Lodash version should be greater than 4.5.0 to avoid the "prototype pollution in lodash" critical vulnerability. Yargs should be updated as the old version faces the same lodash issue. Babel has a new package (the deprecated babel-cli relied on an old version of lodash as well), so I have updated to that as well. I ran
npm run buildsuccessfully after these changes but am uncertain if there is more that can be done from the standpoint of testing.Thanks for reviewing this, please let me know if there is anything else I can do to get it merged and published!