Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace unmaintained lodash per-method packages with full lodash #19

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Replace unmaintained lodash per-method packages with full lodash #19

wants to merge 1 commit into from

Conversation

gorner
Copy link

@gorner gorner commented Apr 22, 2024

CVE-2021-23337 was recently updated to reflect an issue previously patched in Lodash also being present in the lodash.template package, which from all appearances is no longer maintained, resulting in users receiving NPM/GitHub alerts related to this advisory. For that matter, lodash.foreach appears to be similarly unmaintained.

I should emphasize there's nothing I've seen to suggest that sourcemap-validator's usage is risky but in my mind it is still something worth fixing.

Under the circumstances I've replaced these two sub-packages with the current full version of lodash, and adjusted require calls where needed.

I would also request to back-merge this update to the v1 release line if possible.

@legobeat
Copy link

Maintainer last GitHub activity is 2020. If anyone is inclined to take on publishing a fork with this fix, that would be a good thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gorner @legobeat