Updated loadsh dependency to 4.17.12

request / request-promise

The simplified HTTP request client 'request' with Promise support. Powered by Bluebird.

ISC License

4.77k stars 297 forks source link

Updated loadsh dependency to 4.17.12 #326

Closed rishabh-chowdhary closed 4 years ago

rishabh-chowdhary commented 5 years ago

This updated version of 4.17.12 fixes a critical security vulnerability in lodash, more details are here: https://nvd.nist.gov/vuln/detail/CVE-2019-10744

coveralls commented 5 years ago

Coverage remained the same at 100.0% when pulling f4bbed1342a8b5300233cfa5a88cd08742eef99d on rishabh-chowdhary:master into 4e3b7ed87ae9a120aae2c4613e93aec3f8a615a9 on request:master.

rishabh-chowdhary commented 5 years ago

@All - Please confirm when this can be merged, a critical fix which is blocking our release.

analog-nico commented 4 years ago

The lodash changed in this PR is only a dev dependency. I am in the process of updating the lodash version used by request-promise-core that is used by this library. With the next version of request-promise the security vulnerability will be fixed.