Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lodash security audits #2877

Closed
zachleat opened this issue Mar 21, 2023 · 2 comments
Closed

Lodash security audits #2877

zachleat opened this issue Mar 21, 2023 · 2 comments
Labels
bug: dependency A problem in one of Eleventy’s dependencies npm-audit Security audits from npm
Milestone
Eleventy 2.0.1

Comments

@zachleat
Copy link
Member

zachleat commented Mar 21, 2023
edited

Regression from #2697

Upstream at https://github.com/lodash/lodash/issues/5499

https://security.snyk.io/package/npm/lodash.set

I do wonder if that particular vulnerability will also just exist on the upstream library too? It looks like the code hasn’t changed since 2017: https://github.com/lodash/lodash/blame/master/set.js It may be a larger issue with how (and when) lodash issues these single function packages!
@zachleat zachleat added bug: dependency A problem in one of Eleventy’s dependencies npm-audit Security audits from npm labels Mar 21, 2023
@zachleat zachleat added this to the Eleventy 2.0.1 milestone Mar 21, 2023
@zachleat
Copy link
Member Author

zachleat commented Mar 22, 2023
edited

We’re doing a lodash custom build to fix this, per the notes documented here: https://github.com/11ty/lodash-custom

@zachleat
Copy link
Member Author

Shipping with 2.0.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug: dependency A problem in one of Eleventy’s dependencies npm-audit Security audits from npm
Projects
None yet
Milestone
Eleventy 2.0.1
Development

No branches or pull requests
1 participant
@zachleat