This repository was archived by the owner on Dec 27, 2023. It is now read-only.
This repository was archived by the owner on Dec 27, 2023. It is now read-only.
Security | Critical vulnerability in lodash@4.17.19 #650
Open
Description
Our dependency-check has notified us that the version of lodash@4.17.19 has a CRITICAL security vulnerability that should no longer be used and instead upgrade to a patched version of lodash.
From this report: GHSA-35jh-r3h4-6jhm
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
npm ls lodash tree (oc-template-react-compiler):
├─┬ oc-template-react-compiler@5.2.2
...
│ ├── lodash@4.17.19
...
Proposed Solution
Bump the version of lodash to the patched version 4.17.21.
Optionally, can we use a minor semver ^4.17.21 to keep this up to date without a release?