tvdstaaij
commented
5 years ago Thanks, I'll push a new version shortly.
It's good to note that node-git-describe does not call defaultsDeep, merge or mergeWith, and therefore isn't truly affected by these CVEs. So if anyone has node-git-describe <=4.0.3 running in production there is no urgent need to upgrade.
Updating lodash to v4.17.11 resolves two vulnaribilities CVE-2018-16487 and CVE-2018-3721.
However I wasn't able to run the tests as most of them already failed due to timeout before the update...Nevermind, Travis succeeded. https://travis-ci.com/saitho/node-git-describe/jobs/176534138