Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump lodash from 4.17.11 to 4.17.15 #8351

Merged
merged 1 commit into from Oct 14, 2019
Merged

[Security] Bump lodash from 4.17.11 to 4.17.15 #8351

merged 1 commit into from Oct 14, 2019

Conversation

NMinhNguyen
Copy link
Contributor

@NMinhNguyen NMinhNguyen commented Oct 8, 2019
edited

See https://www.npmjs.com/advisories/1065

Issue:

What I did

Updated to the latest published Lodash version. I could've just bumped to ^4.17.12 as per the advisory, but figured I might as well use the latest version. Although ^4.17.11 does allow the installation of newer non-vulnerable versions, 4.17.11 satisfies that version range and seems to cause Snyk to produce warnings.

How to test

  • Is this testable with Jest or Chromatic screenshots? No
  • Does this need a new example in the kitchen sink apps? No
  • Does this need an update to the documentation? No

If your answer is yes to any of these, please make sure to include it in your PR.

@vercel
Copy link

vercel bot commented Oct 8, 2019
edited

This pull request is automatically deployed with Now.
To access deployments, click Details below or on the icon next to each push.

Latest deployment for this branch: https://monorepo-git-fork-nminhnguyen-lodash.storybook.now.sh

@NMinhNguyen
Copy link
Contributor Author

NMinhNguyen commented Oct 9, 2019
edited

@shilman there's some build failures but I'm guessing they're unrelated? Btw the motivation for this change is I was tryna onboard Storybook to our private npm registry at work, but it leverages Snyk for vulnerability scanning and it rejected my request due to lodash.

@ndelangen ndelangen added this to the 5.2.x milestone Oct 14, 2019
@ndelangen ndelangen added the patch:yes Bugfix & documentation PR that need to be picked to main branch label Oct 14, 2019
@ndelangen ndelangen merged commit 02a0d03 into storybookjs:next Oct 14, 2019
@shilman shilman added the patch:done Patch/release PRs already cherry-picked to main/release branch label Oct 22, 2019
shilman pushed a commit that referenced this pull request Oct 22, 2019
@ndelangen @shilman
[Security] Bump lodash from 4.17.11 to 4.17.15 (#8351)
db65ca0 
[Security] Bump lodash from 4.17.11 to 4.17.15
This was referenced Oct 30, 2019
Merged
Closed
Merged
Closed
Merged
Closed
This was referenced Nov 9, 2021
Open
Open
Open
Open
Open
@snyk-bot snyk-bot mentioned this pull request Dec 16, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndelangen ndelangen ndelangen approved these changes

@aaronmcadam aaronmcadam Awaiting requested review from aaronmcadam

@alexandrebodin alexandrebodin Awaiting requested review from alexandrebodin

@alterx alterx Awaiting requested review from alterx

@igor-dv igor-dv Awaiting requested review from igor-dv

@leonrodenburg leonrodenburg Awaiting requested review from leonrodenburg

@shilman shilman Awaiting requested review from shilman

@theinterned theinterned Awaiting requested review from theinterned

@thomasbertet thomasbertet Awaiting requested review from thomasbertet

@tmeasday tmeasday Awaiting requested review from tmeasday

@usulpro usulpro Awaiting requested review from usulpro

@z4o4z z4o4z Awaiting requested review from z4o4z

Assignees
No one assigned
Labels
dependencies patch:done Patch/release PRs already cherry-picked to main/release branch patch:yes Bugfix & documentation PR that need to be picked to main branch security
Projects
None yet
Milestone
5.2.x
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@NMinhNguyen @ndelangen @shilman @phated