Open sforsberg opened 2 years ago
Our dependency-check has notified us that the version of lodash@4.17.19 has a CRITICAL security vulnerability that should no longer be used and instead upgrade to a patched version of lodash.
lodash@4.17.19
From this report: https://github.com/advisories/GHSA-35jh-r3h4-6jhm
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
├─┬ oc-template-react-compiler@5.2.2 ... │ ├── lodash@4.17.19 ...
Bump the version of lodash to the patched version 4.17.21.
4.17.21
Optionally, can we use a minor semver ^4.17.21 to keep this up to date without a release?
^4.17.21
Our dependency-check has notified us that the version of
lodash@4.17.19
has a CRITICAL security vulnerability that should no longer be used and instead upgrade to a patched version of lodash.From this report: https://github.com/advisories/GHSA-35jh-r3h4-6jhm
npm ls lodash tree (oc-template-react-compiler):
Proposed Solution
Bump the version of lodash to the patched version
4.17.21
.Optionally, can we use a minor semver
^4.17.21
to keep this up to date without a release?