Update lodash version for fixing security vulnerability

[trinangkur]

Q	A
Fixed Issues?	No
Patch: Bug Fix?	No
Major: Breaking Change?	No
Minor: New Feature?	No
Tests Added + Pass?	Yes
Documentation PR Link	No
Any Dependency Changes?	Yes
License	MIT

While doing an audit in our production we saw high vulnerability issues(command injection) related to babel. Looking further into the issue we found that lodash which is getting used in babel latest version is outdated and hence cause those vulnerabilities. Lodash has already fixed these issues and hence babel can also move to the latest version of lodash which is 4.17.21. Posting few links below to have a better understanding for everyone.

GHSA-35jh-r3h4-6jhm

https://snyk.io/vuln/SNYK-JS-LODASH-1040724

[babel-bot]

Build successful! You can test your changes in the REPL here: https://babeljs.io/repl/build/45953/

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 04c8311:

Sandbox	Source
babel-repl-custom-plugin	Configuration
babel-plugin-multi-config	Configuration

[nicolo-ribaudo]

Thanks, but this won't have any effect on your system: the updated package.json file is not part of any published package; this is just an internal devDependency.

Also, we don't use _.template internally so this doesn't even affect our own build process.

[nicolo-ribaudo]

Can you run yarn && yarn dedupe and commit the updated lockfile?

[trinangkur]

Updated yarn.lock files. please merge so that we can get rid of vulnerability check issues.

[merceyz]

please merge so that we can get rid of vulnerability check issues.

The package.json you've modified isn't published anywhere, like @nicolo-ribaudo said in #13289 (review) this has no impact on your system. Even if it was published semver allows for this to be fixed without any change in this repo and this repo is already using lodash@4.17.21.