Skip to content

Dependency lodash.set has an unpatched CVE #675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mhassan1 opened this issue Feb 23, 2022 · 2 comments · Fixed by #676
Closed

Dependency lodash.set has an unpatched CVE #675

mhassan1 opened this issue Feb 23, 2022 · 2 comments · Fixed by #676

Comments

@mhassan1
Copy link
Contributor

mhassan1 commented Feb 23, 2022
edited
Loading

The lodash.set package has an open CVE: https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032. The maintainer of Lodash will not release a patched version, and he considers the per-method packages soft-deprecated.

We should be able to use set-value as a drop-in replacement.
@mhassan1 mhassan1 mentioned this issue Feb 23, 2022
Merged
@mhassan1
Copy link
Contributor Author

mhassan1 commented Mar 7, 2022

Thanks, @pgrzesik. When do we think this will get an NPM release?

@pgrzesik
Copy link
Contributor

pgrzesik commented Mar 8, 2022

Hello @mhassan1 - I'm waiting for 1 PR to be completed - I would expect it to be released sometime later this week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: Replace lodash.set with set-value
2 participants
@mhassan1 @pgrzesik