Security - Bumps lodash@^4.17.21 for critical security patch

opencomponents / oc-template-react

⚛️ Module for handling React templates in OC

MIT License

23 stars 16 forks source link

Security - Bumps lodash@^4.17.21 for critical security patch #651

Open sforsberg opened 2 years ago

sforsberg commented 2 years ago

Bumps lodash@^4.17.21 to patch a critical security vulnerability in the current hoisted version 4.17.19.

NOTE: Uses a minor semver to allow lodash to be easily bumped for future minor and patch versions. If this is preferred not to be used, I can revert this to a fixed version.

Resolves: #650

sforsberg commented 2 years ago

I may actually bump a few other dependencies in particular, most oc-* deps can likely be updated to use a minor semver ~and async is still pulling in lodash@4.17.19.~ (Disregard async, async@2.6.3 resolves the lodash vulnerability.)

Any objections to do that?