Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update lodash version #10

Open
flyke opened this issue Apr 16, 2019 · 2 comments
Open

Update lodash version #10

flyke opened this issue Apr 16, 2019 · 2 comments

Comments

@flyke
Copy link

flyke commented Apr 16, 2019

If I run npm audit on a project using svg-sprite-generator, I get this security notice:

Moderate Prototype Pollution
Package lodash
Patched in >=4.17.11
Dependency of svg-sprite-generator [dev]
Path svg-sprite-generator > cheerio > lodash
More info https://npmjs.com/advisories/782

for security reasons, it would be better if svg-sprite-generator updates the lodash version of its dependencies
@flyke
Copy link
Author

flyke commented Apr 29, 2019

Edit: it is the cheerio requirement that includes lodash. Cheerio has a new version which fixes the vulnerability by requiring a higher lodash version.
svg-sprite-generator needs te require a higher version of cheerio to fix this.
(for example npm install cheerio@">1.0.0-rc.0" will install cheerio 1.0.0 release candidate 3 which requires lodash ^4.17.11 and fixes the vulnerability)

@Katttori Katttori mentioned this issue Aug 25, 2020
Open
@pumano
Copy link

pumano commented Apr 26, 2022

@flyke any news about it? looks like PR provided

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flyke @pumano