sievins
commented
5 years ago Another high severity vulnerability has been identified in lodash.
The current version of lodash (4.17.10) that tap-spec depends on has a high severity vulnerability. Lodash applied a fix for 4.17.13.
The vunerablity only affects the following lodash functions, merge, mergeWith and defaultsDeep, which aren't actually used in this library. But it would be nice to upgrade it anyway as it would mean that consumers of tap-spec can trust the library implicitly. At the moment GitHub alerts users of this vulnerability when installing tap-spec and you have to manually check that the library doesn't use the above lodash functions.
- tap-spec version : 5.0.0
What did you expect to happen? Not to receive a high severity vulnerability alert when installing tap-spec.
What actually happens You receive a high severity vulnerability alert when installing tap-spec.
How to reproduce
npm i -D tap-specThanks 😄
Audit marks this package with a moderate warning due to the lower version of lodash. Please update to version >=4.17.11 of lodash