Update lodash.merge to 4.6.2 to resolve security vulnerability

Question

Update lodash.merge to 4.6.2 to resolve security vulnerability

meszaros-lajos-gyorgy opened this issue 5 years ago · 7 comments

meszaros-lajos-gyorgy commented 5 years ago

Hi!

The guys at npm found a security vulnerability with lodash, which was fixed in 4.6.2:

Answer 1 · 2019-07-18T16:13:17.000Z

Last commit was in 2017. This project is dead as dirt. Go ahead and fork it, publish a new package name on NPM.

Answer 2 · 2019-07-19T15:06:14.000Z

Linking pull request, which would solve this issue: #17

Answer 3 · 2019-07-19T15:09:16.000Z

@mcandre: Well, the author's last activity was in early april this year, so I assume you are right. I do prefer to wait a bit more to see if the author checks github.
Also, there are already 11 forks of the repo. Are there any candidates for the replacement of the main repo?

Answer 4 · 2019-07-19T17:27:29.000Z

I've checked all forks and most of them are either behind/even with master or contain dependency version updates. If someone is to publish a fork of this repo should also add the other pull request which checks for html validation failure. I'm happy to publish a fork of this, but what should be it's name? express-minify-html-2?

Answer 5 · 2019-07-19T17:55:57.000Z

express-minify-html-2 is out live: https://www.npmjs.com/package/express-minify-html-2

Answer 6 · 2019-07-20T15:02:52.000Z

Thanks for taking care of this and for putting the cat into the sock :)

Answer 7 · 2019-08-10T21:21:34.000Z

Thanks, helped!