Closed Rufei77 closed 4 months ago
mefellows
commented
5 months ago Thanks, are you interested in fixing this? Either by upgrading the dependency or replacing omitBy with another function?
FWIW you should consider and discuss whether or not a developer dependency is really exploitable and a HIGH severity risk (I bet it isn't).
yukun-han
commented
5 months ago Hi @mefellows , I am one of @Rufei77 's colleagues and I'm here to help her raise a PR to fix this issue. The PR #1175 is already linked here. Please take your time to have a look and feel free to give feedbacks.
Further to discuss, lodash is not actively maintained now. As times going, more and more security risks would possibly be reported by vulnerability scanning tools like Snyk, BlackDuck and no one would go to take care of them! In my perspective, it is worthwhile to retire all lodash dependencies and replace with alternatives. I noticed that ramda is also listed in dependencies. It is a good choice.
mefellows
commented
4 months ago I think this may be closed now that the other item has been merged and released - thanks for the PR! Closing.
Thank you for reporting a bug! We appreciate it very much. Issues are a big input into the priorities for Pact-JS development
All italic text in this template is safe to remove before submitting
Thanks again!
Software versions
Please provide at least OS and version of pact-js
Issue Checklist
Please confirm the following:
Expected behaviour
No vulnerabilities reported :)
Actual behaviour
Blackduck scanner report a HIGH severity alert (CVE-2019-10744 for a dependency (lodash.omitby/4.6.0) used by pact.