Skip to content
This repository was archived by the owner on Oct 1, 2020. It is now read-only.

update lodash to v4.17.20 #104

Closed
SigurdMW opened this issue Aug 19, 2020 · 5 comments · Fixed by #105
Closed

update lodash to v4.17.20 #104

SigurdMW opened this issue Aug 19, 2020 · 5 comments · Fixed by #105
Labels
released

Comments

@SigurdMW
Copy link

  • Operating System: All
  • Cypress Version: @cypress/webpack-preprocessor@5.4.4
  • Browser Version: n/a

Is this a Feature or Bug?

Bug, lodash 4.17.19 is vulnerable to Prototype pollution according to snyk: https://app.snyk.io/vuln/SNYK-JS-LODASH-590103

Current behavior:

Desired behavior:

Update package to lodash 4.17.20

How to reproduce:

Additional Info (images, stack traces, etc)
@jennifer-shehane
Copy link
Member

PR: #105

@renovate renovate bot mentioned this issue Aug 20, 2020
Merged
1 task
@berickson1
Copy link

@jennifer-shehane - would you consider switching to using caret syntax for dependencies ("lodash": "^4.17.20")? That would allow consumers to upgrade things like lodash manually when vulnerabilities are found. Without pulling in the latest version of this module, we're stuck on an older version of lodash by default (due to yarn lockfile de-duplication yarn-deduplicate --strategy fewer)

@jennifer-shehane
Copy link
Member

Yes, we did this for our main Cypress project already.

@jennifer-shehane
Copy link
Member

@berickson1 PR here #107

@chrisbreiding
Copy link
Collaborator

🎉 This issue has been resolved in version 5.4.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): update dependency lodash to v4.17.20 cypress-io/cypress-webpack-preprocessor
4 participants
@chrisbreiding @jennifer-shehane @berickson1 @SigurdMW