search

shakyShane / gulp-svg-sprites

Create SVG sprites or compile to <symbols>
MIT License
334 stars 45 forks source link

Upgrade `lodash` and `svg-sprite-data` to patch vulnerability #119

Open wesrice opened 5 years ago

wesrice commented 5 years ago

This PR updates the lodash and svg-sprite-data dependency versions to patch the vulnerability found below. I also went ahead and ignored some common Yarn and NPM files.

This PR assumes that https://github.com/shakyShane/svg-sprite-data/pull/8 will be merged.

✗ Low severity vulnerability found in lodash
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/npm:lodash:20180130
  Introduced through: lodash@4.14.1, svg-sprite-data@3.1.0
  From: lodash@4.14.1
  From: svg-sprite-data@3.1.0 > lodash@4.14.1
  Remediation:
    Upgrade direct dependency lodash@4.14.1 to lodash@4.17.5 (triggers upgrades to lodash@4.17.5)
    Some paths have no direct dependency upgrade that can address this issue. Run `snyk wizard` to explore remediation options.
kevcenteno commented 5 years ago

@shakyShane Any thoughts on this?