Update lodash@4.17.11 and debug@4.0.1 on the latest legacy version of this package @3.0.7 to deal with current snyk vulnerabilities in lodash@4.17.11 and debug@4.1.1

Question

Update lodash@4.17.11 and debug@4.0.1 on the latest legacy version of this package @3.0.7 to deal with current snyk vulnerabilities in lodash@4.17.11 and debug@4.1.1

isocroft opened this issue 3 years ago · 2 comments

This feature request does not introduce breaking changes since the lodash version update is only on the patch version (4.17.11 -> 4.17.21). It also requests a change of version of debug@4.0.1 to debug@4.1.1 to match the version in @adonisjs/framework and @adonisjs/lucid

Why this feature is required (specific use-cases will be appreciated)?

It will mitigate the current vulnerabilities delineated by Synk depicted here for the lodash library as the deadline for maintaining the legacy version of AdonisJS 4.1 is fast approaching (31st, December, 2021).

Answer 1 · 2021-12-17T12:52:02.000Z

The dependencies are defined with ^x.y.z, which defines semver ranges compatible with the latest versions of lodash and debug. You can safely update the dependencies of your project without changes in this repository.

Answer 2 · 2022-01-14T16:07:00.000Z

Closing since no answer from issue reporter.