-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(vulnerability): patch a potential vulnerability updating lodash dependency #372
Conversation
"@commitlint/travis-cli": "8.3.5", | ||
"@commitlint/cli": "9.1.1", | ||
"@commitlint/config-conventional": "9.1.1", | ||
"@commitlint/travis-cli": "9.1.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See the "light" breaking change introduced by version 9:
https://github.com/conventional-changelog/commitlint/blob/master/CHANGELOG.md#breaking-changes
get-stdin "7.0.0" | ||
lodash "4.17.15" | ||
lodash "^4.17.15" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enables lodash upgrade to v4.17.19
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it enough to upgrade lodash on an existing install?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the Rails agent, package.json
file is only used for development tools (ie devDependencies
).
The Rails agent dependencies are the Ruby gems
you'll find in the Gemfile
(not the npm dependencies in the package.json
)
"@commitlint/types" "^9.1.1" | ||
chalk "4.1.0" | ||
cosmiconfig "^6.0.0" | ||
lodash "^4.17.15" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enables lodash upgrade to v4.17.19
dependencies: | ||
import-fresh "^3.0.0" | ||
lodash "4.17.15" | ||
lodash "^4.17.15" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Enables lodash upgrade to v4.17.19
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.15.tgz#b447f6670a0455bbfeedd11392eff330ea097548" | ||
integrity sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A== | ||
lodash@^4.17.15, lodash@^4.17.4: | ||
version "4.17.19" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All lodash dependencies are now using v4.17.19
## [5.2.2](v5.2.1...v5.2.2) (2020-08-04) ### Bug Fixes * **vulnerability:** patch a potential vulnerability updating lodash dependency ([#372](#372)) ([5bd2471](5bd2471))
🎉 This PR is included in version 5.2.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
## [5.2.2](ForestAdmin/forest-rails@v5.2.1...v5.2.2) (2020-08-04) ### Bug Fixes * **vulnerability:** patch a potential vulnerability updating lodash dependency ([#372](ForestAdmin/forest-rails#372)) ([5bd2471](ForestAdmin/forest-rails@5bd2471))
Clickup card: https://app.clickup.com/t/6up7hd
Pull Request checklist: