swagger-node icon indicating copy to clipboard operation
swagger-node copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

Update lodash to 5.17.11 to resolve node vulnerability audit

Open joeyjmorales opened this issue 6 years ago • 5 comments

joeyjmorales avatar Jan 08 '19 22:01 joeyjmorales

Why this is not merged??

WebbizAdmin avatar Feb 22 '19 09:02 WebbizAdmin

@WebbizAdmin tests fail

aifrim avatar Feb 28 '19 11:02 aifrim

https://github.com/swagger-api/swagger-node/issues/570 might be relevant. According to that, work is happening to bring the project back to life, so things like the failing Travis and these PRs might get addressed.

andyedwardsibm avatar Apr 09 '19 13:04 andyedwardsibm

This is a very tiny PR that could help users of this package stay secure.

I use this swagger node package and would appreciate the patch to newer lodash.

Maintainers, if the various audit security errors were patched and a very small maintenance release were pushed I think existing users would greatly appreciate it. (I know I would!)

(Incidentally PR name is slightly off, the major version for lodash is 4.x, rather than 5.x)

DeeDeeG avatar Oct 15 '19 17:10 DeeDeeG

Actually this PR isn't strictly necessary. On master branch, this package already depends on lodash "^4.17.2".

That means "greater than (or equal to) 4.17.2, but also less than 5.x"

If there were a new release of this package based off of the master branch, it would allow users to get up-to-date lodash, since the latest lodash (4.17.15 at the moment) is still in the 4.x series.

The fix that would be more meaningful would be for there to be a new release of this package.

DeeDeeG avatar Oct 15 '19 18:10 DeeDeeG