[bug]: There is a vulnerability in [email protected] > [email protected]

[tar-aldev]

Describe the bug

When running pnpm audit Ican see that there is a vulnerabilty in lodash and lodash is used by shadcn-ui under the hood. high │ Command Injection in lodash
│ Package │ lodash.template │ Vulnerable versions │ <=4.5.0 │ Patched versions │ <0.0.0 │ Paths │ . > [email protected] > [email protected] │ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm

Affected component/components

shadcn-ui

How to reproduce

Install "shadcn-ui": "^0.8.0" using pnpm

Codesandbox/StackBlitz link

No response

Logs

No response

System Info

"shadcn-ui": "^0.8.0",

Before submitting

• [X] I've made research efforts and searched the documentation
• [X] I've searched for existing issues

[jimmyntu]

Hi shadcn team, could you help to address this high security issue?

[JensAstrup]

Bumping this as it's high severity, any timeline on upgrading the dependency? I'm happy to open a PR if one isn't already opened

[gdragotto]

The PR in #4397 looks great, thanks @JensAstrup. Any news on the approval status?

[JensAstrup]

I have no idea who I'm waiting on for approval 😛

[gdragotto]

@shadcn ?

[vikasbhandari2]

Guys, it is a high vulnerability. any updates?

[ecsbeats]

+1

[mynlexi]

also waiting here

[SMaurischat]

Same!

[rjsprague]

+1 Better question, why even rely on Lodash. Seems to me it isn't well maintained. I always avoid Lodash due to frequent high severity vuln issues like this with it. Looks like we're all just supposed to head back to shadcn 1.0 for now?

[dcollien]

+1

[marulijames]

+1

[js-4]

May I add, there is the same problem in the shadcn package itself (not the cli) in the current main: https://github.com/shadcn-ui/ui/blob/1081536246b44b6664f4c99bc3f1b3614e632841/packages/shadcn/package.json#L62

Should I open another GH issue?

Thank you in advance!