Upgrade lodash dependency to fix prototype pollution exploit

[julian-sf]

EDIT: Apparently this made it into develop in between when I checked this and went to make the issue

[jennifer-shehane]

😅 Yes, PR is here #4684

[Evanht]

When will this fix be released? @jennifer-shehane

[soundstep]

We are still waiting for this to be release right?
Because I still get the previous version of lodash with cypress@3.4.0.
I don't quite understand when the dist-tag latest is 3.4.0, the git tag 3.4.0 on this repo has a new version of lodash, but I still get a wrong version of lodash. Does this module need to re-published under the same version? Which sounds wrong.

npm show cypress

cypress@3.4.0 | MIT | deps: 31 | versions: 72
Cypress.io end to end testing tool
https://github.com/cypress-io/cypress

keywords: browser, cypress, cypress.io, automation, end-to-end, e2e, integration, mocks, test, testing, runner, spies, stubs

bin: cypress

dist
.tarball: http://itvrepos.jfrog.io/itvrepos/api/npm/npm-itv/cypress/-/cypress-3.4.0.tgz
.shasum: 8053ee107eb6309f26abd57e882d05578bdc3391

dependencies:
@cypress/listr-verbose-renderer: 0.4.1 extract-zip: 1.6.7                     
@cypress/xvfb: 1.2.4                   fs-extra: 5.0.0                        
arch: 2.1.1                            getos: 3.1.1                           
bluebird: 3.5.0                        glob: 7.1.3                            
cachedir: 1.3.0                        is-ci: 1.2.1                           
chalk: 2.4.2                           is-installed-globally: 0.1.0           
check-more-types: 2.24.0               lazy-ass: 1.6.0                        
commander: 2.15.1                      listr: 0.12.0                          
common-tags: 1.8.0                     lodash: 4.17.11                        
debug: 3.2.6                           log-symbols: 2.2.0                     
execa: 0.10.0                          minimist: 1.2.0                        
executable: 4.1.1                      moment: 2.24.0                         
(...and 7 more.)

maintainers:
- bahmutov <gleb.bahmutov@gmail.com>
- brian-mann <brian.mann86@gmail.com>
- flotwig <npm@chary.us>

dist-tags:
dev: 3.4.0     latest: 3.4.0  

published a week ago by flotwig <npm@chary.us>

[jennifer-shehane]

The code for this is done in #4709, but this has yet to be released. We'll update this issue and reference the changelog when it's released.

You can run npm audit fix to fix the 'vulnerable' dependencies.

But also Cypress is immune to most if not all security vulnerabilities because its locally run software - not a web server hosted in the cloud, so this security issue doesn't even apply and is low priority for us.

[Jaafar-abusair]

@jennifer-shehane it blocking our code from build and deploy since we have role to prevent and deployment with Vulnerability, please merge

[jennifer-shehane]

We are working on a patch release now, instead of waiting for feature release.

[cypress-bot]

Released in 3.4.1.

[konekoya]

Thanks for the patch release :)