Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade snoostorm to resolve upstream lodash vuln #20

Closed
anulman opened this issue Aug 6, 2019 · 0 comments · Fixed by #21
Closed

Upgrade snoostorm to resolve upstream lodash vuln #20

anulman opened this issue Aug 6, 2019 · 0 comments · Fixed by #21
Assignees
@brenapp
Labels
bug

Comments

@anulman
Copy link
Contributor

anulman commented Aug 6, 2019

Describe the bug
GitHub Alerts is notifying me of a vuln on lodash < 4.17.13, which is a transitive dependency of the pinned snoowrap version.

To Reproduce
Steps to reproduce the behavior:

  1. Run npm-why lodash (or yarn why lodash) in this project, or a project depending on snoostorm
  2. See a transitive dependency on lodash @ 4.17.11
    image

Expected behavior
The transitive dependency should resolve to 4.17.15, per changes from 4 days ago, released with (snoowrap 1.19.0)[https://www.npmjs.com/package/snoowrap]

System Configuration:
Using TypeScript? N
Node Version? 11.9
Snoostorm Version? ^1.1.2

Additional context
N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brenapp brenapp

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade snoowrap to resolve upstream lodash vuln
2 participants
@anulman @brenapp