gulp-run
gulp-run copied to clipboard
m19c
Critical security vulnerability
gulp-run has a dependency on gulp-util which references a version of lodash.template that has a critical vulnerability. Would it be possible to update gulp-run to eliminate this? Unfortunately, I see that the gulp-util project has been deprecated.
gulp-run > gulp-util > lodash.template https://github.com/advisories/GHSA-jf85-cpcp-j695
`-- [email protected]
+-- [email protected]
| `-- [email protected]
`-- [email protected]
It is difficult to fix a security issue from a transitive dependency.
The best solution may be to submit a patch to gulp-util and convince them to do a release. Even though it's deprecated, the maintainer may be willing to publish a security patch.
Also, no one is really doing active development of this library AFAIK. If you think the issue can be fixed here, you can submit a patch, and I can help review.
gulp-util has been deprecated for years and shouldn't even be a dependency.
gulp-util will not be updated, use the migration instructions from the README to move to a supported dependency.
