New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update lodash version for fixing security vulnerability #13289
Conversation
Build successful! You can test your changes in the REPL here: https://babeljs.io/repl/build/45953/ |
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 04c8311:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, but this won't have any effect on your system: the updated package.json
file is not part of any published package; this is just an internal devDependency
.
Also, we don't use _.template
internally so this doesn't even affect our own build process.
Can you run |
Updated yarn.lock files. please merge so that we can get rid of vulnerability check issues. |
The |
While doing an audit in our production we saw high vulnerability issues(command injection) related to babel. Looking further into the issue we found that lodash which is getting used in babel latest version is outdated and hence cause those vulnerabilities. Lodash has already fixed these issues and hence babel can also move to the latest version of lodash which is
4.17.21
. Posting few links below to have a better understanding for everyone.GHSA-35jh-r3h4-6jhm
https://snyk.io/vuln/SNYK-JS-LODASH-1040724