Security alert: CVE-2018-3721 (high-severity)

[oskarth]

lodash Open GitHub opened this alert on Aug 19 1 lodash vulnerability found in …/files/package.json on Aug 19 Remediation Upgrade lodash to version 4.17.5 or later. For example:

"dependencies": { "lodash": ">=4.17.5" } or… "devDependencies": { "lodash": ">=4.17.5" } Always verify the validity and compatibility of suggestions with your codebase.

Details CVE-2018-3721 More information high severity Vulnerable versions: < 4.17.5 Patched version: 4.17.5 lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

---

@MaxRis @vkjr

fyi @corpetty

[madhavarshney]

This vulnerability does not affect the core react-native-desktop library and only affects project generation due to yeoman-generator. I have fixed this here which is currently blocked by #422.