Description
Three open Dependabot alerts related to lodash in package-lock.json:
| Alert |
Severity |
Summary |
| #62 |
High |
Code Injection via _.template imports key names |
| #61 |
Medium |
Prototype Pollution via _.unset and _.omit (array path bypass) |
| #36 |
Medium |
Prototype Pollution in _.unset and _.omit |
Current State
lodash@4.17.21 is a transitive dependency (from Serverless Framework and other dev deps)- All three alerts are resolved by upgrading to
lodash@4.18.0
Solution
Add an overrides entry in package.json to force lodash@>=4.18.0 for all transitive dependencies and regenerate package-lock.json.
Description
Three open Dependabot alerts related to
lodashinpackage-lock.json:_.templateimports key names_.unsetand_.omit(array path bypass)_.unsetand_.omitCurrent State
lodash@4.17.21is a transitive dependency (from Serverless Framework and other dev deps)lodash@4.18.0Solution
Add an
overridesentry inpackage.jsonto forcelodash@>=4.18.0for all transitive dependencies and regeneratepackage-lock.json.