search

maximkoretskiy / postcss-initial

PostCSS plugin to fallback initial keyword
MIT License
187 stars 11 forks source link

High Severity security issue with lodash.template #44

Closed charlieTheBotDev closed 3 years ago

charlieTheBotDev commented 3 years ago

https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054

lodash.template is deprecated - Please swap to use lodash and import template from that

This is causing issues in many of our production applications so would appreciate a swift resolution

postcss-preset-env@6.7.0
  └─┬ postcss-initial@3.0.2
    └── lodash.template@4.5.0

Cross-posted for visibility: https://github.com/csstools/postcss-preset-env/issues/203

candrews commented 3 years ago

Please release version 3.0.3 when this change is made so (the many) packages that depend upon postcss-initial 3.x can benefit.

Thank you!

JavaZava commented 3 years ago

There is already a version 4.0.0 released, but it still has the lodash.template dependency.

maximkoretskiy commented 3 years ago

@candrews sure. will do