Skip to content
This repository was archived by the owner on Sep 14, 2022. It is now read-only.

Update lodash to 5.17.11 to resolve node vulnerability audit#579

Open
joeyjmorales wants to merge 1 commit intoswagger-api:masterfrom
joeyjmorales:master
Open

Update lodash to 5.17.11 to resolve node vulnerability audit#579
joeyjmorales wants to merge 1 commit intoswagger-api:masterfrom
joeyjmorales:master

Conversation

@joeyjmorales
Copy link

@joeyjmorales joeyjmorales commented Jan 8, 2019

No description provided.

@joeyjmorales joeyjmorales mentioned this pull request Jan 8, 2019
Open
@JSON5995
Copy link

JSON5995 commented Feb 22, 2019

Why this is not merged??

@aifrim
Copy link

aifrim commented Feb 28, 2019

@WebbizAdmin tests fail

@andyedwardsibm
Copy link

andyedwardsibm commented Apr 9, 2019

#570 might be relevant. According to that, work is happening to bring the project back to life, so things like the failing Travis and these PRs might get addressed.

Tristramg added a commit to CodeursenLiberte/etherpad-lite that referenced this pull request Apr 16, 2019
@Tristramg
Fix a few vulnerabilities
fc00a50 
Two can not be fixed yet:
- swagger-api/swagger-node#579
- nodejs/node-gyp#1718
@Tristramg Tristramg mentioned this pull request Apr 16, 2019
Closed
@DeeDeeG
Copy link

DeeDeeG commented Oct 15, 2019

This is a very tiny PR that could help users of this package stay secure.

I use this swagger node package and would appreciate the patch to newer lodash.

Maintainers, if the various audit security errors were patched and a very small maintenance release were pushed I think existing users would greatly appreciate it. (I know I would!)

(Incidentally PR name is slightly off, the major version for lodash is 4.x, rather than 5.x)

@DeeDeeG
Copy link

DeeDeeG commented Oct 15, 2019

Actually this PR isn't strictly necessary. On master branch, this package already depends on lodash "^4.17.2".

That means "greater than (or equal to) 4.17.2, but also less than 5.x"

If there were a new release of this package based off of the master branch, it would allow users to get up-to-date lodash, since the latest lodash (4.17.15 at the moment) is still in the 4.x series.

The fix that would be more meaningful would be for there to be a new release of this package.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@joeyjmorales @JSON5995 @aifrim @andyedwardsibm @DeeDeeG