Closed s100 closed 4 years ago
There is a prototype pollution vulnerability in lodash, which lodash's maintainers seem not to be acting on. My suggestion is that moving away from lodash entirely might be an expedient way to resolve this.
lodash
Related, previously: #5, #171
openid-client does not utilize the method in question and is therefore not affected. Nevertheless, removing lodash is something I’d support driving a PR forward for if you’re offering putting the time into it.
There is a prototype pollution vulnerability in
lodash
, whichlodash
's maintainers seem not to be acting on. My suggestion is that moving away fromlodash
entirely might be an expedient way to resolve this.Related, previously: #5, #171