You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems the last version of grunt-contrib-compress requires :
"archiver": "^1.3.0" (inturn dependent on async which is using lodash "^4.17.11")
"lodash": "^4.7.0"
Unfortunately, these packages have a dependency of lodash vulnerable versions. Lodash version 4.17.11 has a prototype pollution vulnerability (as described in the https://github.com/lodash/lodash/wiki/Changelog#v41712) fixed at version 4.17.12.
I'm just creating the issue to notify this fact and request a dependency update when the dependent packages are ready
The text was updated successfully, but these errors were encountered:
https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/
It seems the last version of grunt-contrib-compress requires :
"archiver": "^1.3.0" (inturn dependent on async which is using lodash "^4.17.11")
"lodash": "^4.7.0"
Unfortunately, these packages have a dependency of lodash vulnerable versions. Lodash version 4.17.11 has a prototype pollution vulnerability (as described in the https://github.com/lodash/lodash/wiki/Changelog#v41712) fixed at version 4.17.12.
I'm just creating the issue to notify this fact and request a dependency update when the dependent packages are ready
The text was updated successfully, but these errors were encountered: