the published version of 4.4.1 depends on a vulnerable version of lodash (4.17.13)

Question

the published version of 4.4.1 depends on a vulnerable version of lodash (4.17.13)

joekrump opened this issue 4 years ago · 1 comments

For some reason, the package.json file that is published depends on an exact version of lodash (4.17.13) screenshot below which is vulnerable to GHSA-p6mc-m468-83gw and which does not match up with what's specified in this project's package.json file which specifies (^4.17.13).

My proposal is to publish a new patch version 4.4.2 which should have a package.json file that matches the one in this repo. Also, ping me and let me know if I can help or provide more information.

Answer 1 · 2021-02-10T16:57:30.000Z

I've just release v4.4.2with lodash v4.17.20 which fixes CVE-2020-8203