Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Fix security vulnerability (lodash)

See original GitHub issue

Chore summary

yarn add @stoplight/spectral
yarn audit
Screenshot 2021-05-12 at 09 13 19

Tasks Bump lodash version >= 4.17.21

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:3
  • Comments:5 (1 by maintainers)

github_iconTop GitHub Comments

5reactions
tsimbalarcommented, Jun 1, 2021

Would it make sense for the project to not use an exact version of dependencies, and instead use a version range ?

This would allow to address security vulnerabilities without needing to release new versions of spectral 🤔

i.e. by updating the package.json and instead of "lodash": "4.17.21", , using things like

"lodash": "^4.17.21", -> any 4.x

or

"lodash": "~4.17.21", -> any 4.17.x

1reaction
kilahmcommented, Jul 14, 2021

Looks like #1585 solves this?

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to fix Seriate and Lodash vulnerabilities - Stack Overflow
2 Answers 2 · Check the “Path” field for the location of the vulnerability. · On the npm public registry, find the package...
Read more >
lodash vulnerabilities | Snyk
version published direct vulnerabilities 4.17.21 20 Feb, 2021 0. C. 0. H. 0. M. 0. L 4.17.20 13 Aug, 2020 0. C. 1. H. 1....
Read more >
Lodash : Security vulnerabilities - CVE Details
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2021‑23337 94 2021‑02‑15 2022‑09‑13 6.5 None 2 CVE‑2020‑28500 DoS 2021‑02‑15 2022‑09‑13...
Read more >
Security Bulletin: Lodash versions prior to 4.17.21 vulnerability ...
DESCRIPTION: Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the ...
Read more >
Lodash: Understanding the recent ... - DEV Community ‍ ‍
We can fix it by freezing the Object with the JavaScript ES5 function Object.freeze() or by defining a null Object Object.create(null) . The ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

chore(dependencies): Security issue

Next page

Nullable allOf construct doesn't work