Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: CVE-2020-8203 with lodash.pick #4692

Merged
merged 3 commits into from
Jun 25, 2024

Conversation

andres-robinet-sw
Copy link
Contributor

@andres-robinet-sw andres-robinet-sw commented Jun 25, 2024

Addresses #4684
#minor

Description

This PR updates the version of lodash.pick and fixes the CVE-2020-8203 vulnerability.
There is no patch for lodash.pick@4.4.0 which is a dependency of nightwatch@2.6.21.
Per Method Packages are discouraged by lodash and nightwatch@3.4.0 fixes this.
However, there's a transitive dependency with jsdom@23.1.0 which restricts Node engines to >=18.
Thus, we need to force a fully patched version of lodash to replace lodash.pick.

Specific Changes

Testing

The following screenshot shows the updated version for the lodash.pick package.
image

@andres-robinet-sw andres-robinet-sw requested a review from a team as a code owner June 25, 2024 18:21
@coveralls
Copy link

coveralls commented Jun 25, 2024

Pull Request Test Coverage Report for Build 9667643464

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.4%) to 84.075%

Totals Coverage Status
Change from base Build 9665967289: -0.4%
Covered Lines: 20343
Relevant Lines: 22900

💛 - Coveralls

@coveralls
Copy link

coveralls commented Jun 25, 2024

Pull Request Test Coverage Report for Build 9667643464

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 84.431%

Totals Coverage Status
Change from base Build 9665967289: 0.0%
Covered Lines: 20425
Relevant Lines: 22900

💛 - Coveralls

@tracyboehrer tracyboehrer merged commit 031c2ac into main Jun 25, 2024
13 checks passed
@tracyboehrer tracyboehrer deleted the southworks/update/fix/lodash-pick-vulnerability branch June 25, 2024 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants