Vulnerable package dependency lodash 4.17.11
my-name-was-already-taken opened this issue · 1 comments
my-name-was-already-taken commented
OpenTok depends on "lodash": "^4.17.11", which has a vulnerability and should be replaced; see below the output from yarn audit:
yarn audit v1.19.1
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ opentok │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ opentok > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1065 │
joshdura commented
@jeffswartz Correct me if I am wrong, but I still see the 4.17.11 dependency in the package.json file. The pull request above doesn't seem to fix this issue. Any update on this?