-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Outdated Lodash Dependency #794
Comments
@MT5W4FLOP80 in the future, when reporting a potential security concern, please follow our security policy and avoid reporting through a public issue like this one. could you please help me understand what led you to believe that there is a dependency on a vulnerable version of lodash? you've linked to a number of CVEs for lodash, but have highlighted that the actual dependency is running everything that i have investigated suggests that there are no known vulnerabilities related to our dependency on again, if you have information that would disclose a security problem without us being able to coordinate a fix before public disclosure, please leverage our security policy instead of sharing that information here. |
Hi,
It appears that the latest version of @semantic-release/github has a transitive dependency for Lodash 4.2.1 (please see the screenshot). The outdated version of Lodash is vulnerable to the following security vulnerabilities:
lodash.capitalize/4.2.1:
CVE-2018-3721
CVE-2019-1010266
CVE-2020-28500
CVE-2018-16487
CVE-2019-10744
CVE-2020-8203
CVE-2021-23337
Could you please investigate this matter and consider updating the Lodash dependency to a secure version?
Thank you
The text was updated successfully, but these errors were encountered: