Critical security vulnerability

[skhilliard]

gulp-run has a dependency on gulp-util which references a version of lodash.template that has a critical vulnerability. Would it be possible to update gulp-run to eliminate this? Unfortunately, I see that the gulp-util project has been deprecated.

gulp-run > gulp-util > lodash.template https://github.com/advisories/GHSA-jf85-cpcp-j695

`-- gulp-run@1.7.1
  +-- gulp-util@3.0.8
  | `-- lodash.template@3.6.2
  `-- lodash.template@4.5.0

[cbarrick]

It is difficult to fix a security issue from a transitive dependency.

The best solution may be to submit a patch to gulp-util and convince them to do a release. Even though it's deprecated, the maintainer may be willing to publish a security patch.

Also, no one is really doing active development of this library AFAIK. If you think the issue can be fixed here, you can submit a patch, and I can help review.

[demurgos]

gulp-util has been deprecated for years and shouldn't even be a dependency. gulp-util will not be updated, use the migration instructions from the README to move to a supported dependency.