tap-spec icon indicating copy to clipboard operation
tap-spec copied to clipboard

Published 20 hours ago verified publisher icon scottcorgan

Update lodash requirement to fix security vulnerability

Open ReinierRothuis opened this issue 6 years ago • 1 comments

Audit marks this package with a moderate warning due to the lower version of lodash. Please update to version >=4.17.11 of lodash

ReinierRothuis avatar Feb 15 '19 14:02 ReinierRothuis

Another high severity vulnerability has been identified in lodash.

The current version of lodash (4.17.10) that tap-spec depends on has a high severity vulnerability. Lodash applied a fix for 4.17.13.

The vunerablity only affects the following lodash functions, merge, mergeWith and defaultsDeep, which aren't actually used in this library. But it would be nice to upgrade it anyway as it would mean that consumers of tap-spec can trust the library implicitly. At the moment GitHub alerts users of this vulnerability when installing tap-spec and you have to manually check that the library doesn't use the above lodash functions.

  • tap-spec version : 5.0.0

What did you expect to happen? Not to receive a high severity vulnerability alert when installing tap-spec.

What actually happens You receive a high severity vulnerability alert when installing tap-spec.

How to reproduce

npm i -D tap-spec

Thanks 😄

sievins avatar Jul 14 '19 13:07 sievins