Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update lodash/lodash-es to fix CVEs flagged in 4.17.20 #1334

Merged
merged 1 commit into from
Apr 15, 2021
Merged

update lodash/lodash-es to fix CVEs flagged in 4.17.20 #1334

merged 1 commit into from
Apr 15, 2021

Conversation

johnmccabe
Copy link
Contributor

4.17.20 is flagged as being vulnerable to:

  • CVE-2021-23337 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
  • CVE-2020-28500 Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

See - https://www.openhub.net/p/lodash/security?filter%5Bmajor_version%5D=&filter%5Bperiod%5D=1&filter%5Bversion%5D=3409002148&filter%5Bseverity%5D=

Bumping to 4.17.21 for both lodash and lodash-es.

Previously the pinned versions for both drifted as the Lodash project had not been releasing lodash-es at the same time as lodash. They have resolved the release problems on their side and both are again released in sync.

4.17.20 is flagged as being vulnerable to:

- CVE-2021-23337 Lodash versions prior to 4.17.21 are vulnerable
  to Command Injection via the template function.
- CVE-2020-28500 Lodash versions prior to 4.17.21 are vulnerable
  to Regular Expression Denial of Service (ReDoS) via the
  toNumber, trim and trimEnd functions.

See - https://www.openhub.net/p/lodash/security?filter%5Bmajor_version%5D=&filter%5Bperiod%5D=1&filter%5Bversion%5D=3409002148&filter%5Bseverity%5D=

Bumping to 4.17.21 for both lodash and lodash-es.

Previously the pinned versions for both drifted as the Lodash
project had not been releasing lodash-es at the same time as
lodash. They have resolved the release problems on their side
and both are again released in sync.
@jquense jquense merged commit 70d0b67 into jquense:master Apr 15, 2021
@jquense
Copy link
Owner

jquense commented Apr 15, 2021

thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants