Update lodash and babel dependencies to fix critical CVE #3
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi there! I work at ConsenSys on the Truffle tool suite for Ethereum developers. We have a transitive dependency issue I have tracked down to this package. I believe I have a simple fix as described below:
This PR updates the lodash, yargs, and babel dependencies in this project. Lodash version should be greater than 4.5.0 to avoid the "prototype pollution in lodash" critical vulnerability. Yargs should be updated as the old version faces the same lodash issue. Babel has a new package (the deprecated babel-cli relied on an old version of lodash as well), so I have updated to that as well. I ran
npm run build
successfully after these changes but am uncertain if there is more that can be done from the standpoint of testing.Thanks for reviewing this, please let me know if there is anything else I can do to get it merged and published!