thom4parisot
commented
5 years ago Hey @th0rgall, thank you for signaling this dependency issue.
The only not-up-to-date dependency is a dev one, github-changes.
crx@5.0.1 /Users/oncletom/workspace/crx
├─┬ archiver@3.0.3
│ └─┬ async@2.6.3
│ └── lodash@4.17.15
├─┬ eslint@5.16.0
│ ├─┬ inquirer@6.3.1
│ │ └── lodash@4.17.15
│ ├── lodash@4.17.15
│ └─┬ table@5.2.3
│ └── lodash@4.17.15
├─┬ github-changes@1.1.2
│ └── lodash@2.4.1
└─┬ nyc@14.1.1
└─┬ istanbul-lib-instrument@3.3.0
├─┬ @babel/generator@7.5.5
│ └── lodash@4.17.15 deduped
├─┬ @babel/traverse@7.5.5
│ └── lodash@4.17.15 deduped
└─┬ @babel/types@7.5.5
└── lodash@4.17.15 dedupedThe new patch release should be automatically published online in a few minutes.
It seems lodash again has a severe vulnerability before 4.17.13
More info about the vulnerability: https://github.com/lodash/lodash/pull/4336
Current version of lodash in package.lock: 4.17.11 (https://github.com/oncletom/crx/blob/master/package-lock.json#L1712)
A previous vulnerability fix was done here: https://github.com/oncletom/crx/issues/89, I guess this one can be done the same way.