Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

chore(dependencies): Security issue

See original GitHub issue

Chore summary https://github.com/advisories/GHSA-35jh-r3h4-6jhm

Tasks

Upgrade lodash to version 4.17.21 or later

Additional context

❯ yarn why lodash
yarn why v1.22.10
[1/4] 🤔  Why do we have the module "lodash"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "lodash@4.17.21"
info Has been hoisted to "lodash"
info Reasons this module exists
   - "workspace-aggregator-9d7c4e81-a142-402a-a0aa-d73d18c6433a" depends on it
   - Hoisted from "_project_#@commitlint#cli#lodash"
   - Hoisted from "_project_#@commitlint#cli#@commitlint#load#lodash"
   - Hoisted from "_project_#smartlint#stylelint#lodash"
   - Hoisted from "_project_#smartlint#dockerfilelint#lodash"
+   - Hoisted from "_project_#smartlint#@stoplight#spectral#@stoplight#json#lodash"
   - Hoisted from "_project_#commitlint-config-airlight#@commitlint#config-conventional#conventional-changelog-conventionalcommits#lodash"
   - Hoisted from "_project_#@commitlint#cli#@commitlint#read#git-raw-commits#lodash"
   - Hoisted from "_project_#@commitlint#cli#@commitlint#load#@commitlint#resolve-extends#lodash"
   - Hoisted from "_project_#lerna#@lerna#create#whatwg-url#lodash"
+   - Hoisted from "_project_#smartlint#@stoplight#spectral#@stoplight#json-ref-resolver#@stoplight#json#lodash"
   - Hoisted from "_project_#lerna#@lerna#version#@lerna#conventional-commits#conventional-changelog-core#lodash"
   - Hoisted from "_project_#@commitlint#cli#@commitlint#lint#@commitlint#parse#conventional-commits-parser#lodash"
   - Hoisted from "_project_#@commitlint#cli#@commitlint#lint#@commitlint#rules#@commitlint#ensure#lodash"
   - Hoisted from "_project_#lerna#@lerna#clean#@lerna#prompt#inquirer#lodash"
   - Hoisted from "_project_#lerna#@lerna#version#@lerna#conventional-commits#conventional-changelog-core#conventional-changelog-writer#lodash"
info Disk size without dependencies: "4.88MB"
info Disk size with unique dependencies: "4.88MB"
info Disk size with transitive dependencies: "4.88MB"
info Number of shared dependencies: 0
=> Found "@stoplight/spectral#lodash@4.17.20"
info This module exists because "_project_#smartlint#@stoplight#spectral" depends on it.
info Disk size without dependencies: "4.86MB"
info Disk size with unique dependencies: "4.86MB"
info Disk size with transitive dependencies: "4.86MB"
info Number of shared dependencies: 0
✨  Done in 0.62s.

Issue Analytics

State:
Created 2 years ago
Comments:9 (1 by maintainers)

Top GitHub Comments

1reaction

dalisoftcommented, Jul 15, 2021

@titanve As a temporary workaround you can try this if you using yarn

0reactions

P0lipcommented, Jul 29, 2021

Fixed in 5.9.2. My apologies for such a long waiting time. We were all busy with v6.

Top Results From Across the Web

chore: various CI and dependency security improvements #51

chore : various CI and dependency security improvements #51 ; Conversation 1 ; Commits 6 ; Checks 5 ; Files changed 3 ...

chore: upgrade npm dependencies & fix security issues (!51 ... - USGS

An error occurred while retrieving approval data for this merge request. chore: upgrade npm dependencies & fix security issues.

chore-cli - npm Package Health Analysis - Snyk

All security vulnerabilities belong to production dependencies of direct and indirect packages. License: MIT. Security Policy: No. We found ...

NPM Security best practices - OWASP Cheat Sheet Series

Many popular npm packages have been found to be vulnerable and may carry a significant risk without proper security auditing of your project's...

Open Source Supply, Demand, and Security - Sonatype

Dependency Update Issues Arising During Log4j · Response by Log4j's Open Source Maintainers vs. the Community · Figure 3.9. Maven Central downloads of...