Vulnerability in lodash up to v4.17.5

[lucaswillering]

There's a vulnerability in lodash versions up to 4.17.5 (https://nvd.nist.gov/vuln/detail/CVE-2018-3721) which is a dependency of promise-core. Would it be possible to update the dependency to the latest version?

[andreyrd]

The package.json for request-promise-core specifies "lodash": "^4.13.1" which means a fresh install will in fact pull a version of lodash newer than 4.17.5.

So you should be able to update with npm update or similar...

This is something I've seen happen on a lot of projects, where technically a fresh install of the package will pull in a good version, but anyone who installed it previously is stuck with a vulnerable version. What's the accepted way to deal with this?

I know gulp-sass pretty consistently tells their users to just update the node-sass dependency on their own: dlmanning/gulp-sass#712

[analog-nico]

Thanks for reporting this @lucaswillering ! I just released request-promise@4.2.3, request-promise-native@1.0.6, and request-promise-any@1.0.6 which bump lodash to @4.17.11.

@andreyrd You are right. The versioning is designed that the user can deal with vulnerabilities directly. Of course, it is a good idea for a package maintainer to eventually enforce the upgrade.