Old version of lodash is being used here that has a vulnerability. Can we please fix

[clucaseh]

Prototype Pollution Module: lodash Published: February 13th 2019 Reported by: asgerf CWE-471 CVE-2018-16487 Vulnerable: <4.17.11 Patched: >=4.17.11 Exploitability: 3 Overview Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Findings json-sass>lodash Remediation Update to version 4.17.11 or later.

References

[Martinspire]

The package is 5 years old and doesn't seem to be maintained. I think its best to fork it and make a new version if @acdlite isn't going to maintain it.

[susanta96]

You(@clucaseh ) can use this package instead: https://www.npmjs.com/package/json2scss-map . We forked it and updated it as per our needs. Although any suggestion would be great.