Closed vanessayuenn closed 2 years ago
missinglink
commented
2 years ago Thanks @vanessayuenn, I doesn't look like we're using defaultsDeep but it's always good to keep up-to-date on security patches.
Before I merge this, is there a reason why we wouldn't pin to the latest version 4.17.21?
vanessayuenn
commented
2 years ago @missinglink hah just an oversight on my part. Thanks for catching that. I've updated to use the latest version instead.
Mohammed101msa
commented
2 years ago Here's the reason for this change 🚀
The project current uses , which is vulnerable to Prototype Pollution (see this advisory link). The vulnerability has been patched in .
lodash@^4.17.4``4.17.12Here's what actually got changed 👏
dependency on lodash has been updated to
^4.17.12Here's how others can test the changes 👀
I ran the test suite and nothing seems to have broken from this update, so nothing to see here!
Here's the reason for this change :rocket:
The project current uses
lodash@^4.17.4, which is vulnerable to Prototype Pollution (see this advisory link). The vulnerability has been patched in4.17.12.Here's what actually got changed :clap:
dependency on lodash has been updated to
^4.17.12Here's how others can test the changes :eyes:
I ran the test suite and nothing seems to have broken from this update, so nothing to see here!