Revert "Bump lodash from 4.17.19 to 4.17.21"#14
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request reverts a previous security update by downgrading lodash from version 4.17.21 to 4.17.19. The revert undoes the changes from PR #5 which had bumped the lodash version to address security vulnerabilities.
Changes:
- Downgrades lodash dependency from 4.17.21 to 4.17.19 in package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "react-dom": "17.0.2", | ||
| "axios": "0.30.2", | ||
| "lodash": "4.17.21", | ||
| "lodash": "4.17.19", |
There was a problem hiding this comment.
Downgrading lodash from 4.17.21 to 4.17.19 reintroduces known security vulnerabilities. Lodash versions prior to 4.17.21 have prototype pollution and command injection vulnerabilities (CVE-2020-28500, CVE-2021-23337). This revert should not be merged unless there is a critical compatibility issue that requires this specific version, and even then, alternative solutions should be explored.
| "lodash": "4.17.19", | |
| "lodash": "4.17.21", |
Reverts #5