travi
commented
7 months ago @MT5W4FLOP80 in the future, when reporting a potential security concern, please follow our security policy and avoid reporting through a public issue like this one.
could you please help me understand what led you to believe that there is a dependency on a vulnerable version of lodash? you've linked to a number of CVEs for lodash, but have highlighted that the actual dependency is lodash.capitalize. that is different than the full version of lodash and is released on a different cadence than the full lodash package. each of the CVEs listed above mention the lodash methods that are vulnerable and none mention capitalize.
running npm audit --production and snyk test on the issue-parser package both report no vulnerabilities.
everything that i have investigated suggests that there are no known vulnerabilities related to our dependency on issue-parser. are you using a tool that is reporting different information or do you have knowledge beyond what the tools I have explored are reporting?
again, if you have information that would disclose a security problem without us being able to coordinate a fix before public disclosure, please leverage our security policy instead of sharing that information here.
Hi,
It appears that the latest version of @semantic-release/github has a transitive dependency for Lodash 4.2.1 (please see the screenshot). The outdated version of Lodash is vulnerable to the following security vulnerabilities:
lodash.capitalize/4.2.1: CVE-2018-3721 CVE-2019-1010266 CVE-2020-28500 CVE-2018-16487 CVE-2019-10744 CVE-2020-8203 CVE-2021-23337
Could you please investigate this matter and consider updating the Lodash dependency to a secure version?
Thank you