Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

low severity security vulnerability due to outdated lodash dependency #4

Closed
ckerr opened this issue Oct 22, 2018 · 4 comments
Closed

low severity security vulnerability due to outdated lodash dependency #4

ckerr opened this issue Oct 22, 2018 · 4 comments

Comments

@ckerr
Copy link

ckerr commented Oct 22, 2018

Found via npm audit in electron apps repo.

Low / Prototype pollution
Package: lodash
Patched in: >=4.17.5
Dependency of get-image-colors [dev]
Path: get-image-colors > get-svg-colors > cheerio > lodash
More info: https://nodesecurity.io/advisories/577

Looks like a release which bumped cheerio requirement to >= 1.0.0-rc.1 + bumping get-svg-colors' own lodash requirement would resolve this.
@zeke
Copy link
Member

zeke commented Oct 22, 2018

Thanks!

@zeke
Copy link
Member

zeke commented Oct 23, 2018

I just installed @dependabot on this repo. Let's see if we get a lodash PR soon...

@zeke
Copy link
Member

zeke commented Oct 23, 2018

This should be resolved by #6 and #9, but the semantic release failed.

I opened an issue here: semantic-release/semantic-release#962

@zeke zeke mentioned this issue Oct 25, 2018
Closed
@zeke
Copy link
Member

zeke commented Oct 25, 2018

New version 1.5.1 released! Updating get-image-colors now.

@zeke zeke closed this as completed Oct 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update get-svg-colors colorjs/get-image-colors
2 participants
@zeke @ckerr