New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency Issues #213
Comments
Hi, @nothingismagick. Thanks for notifying me about this. I didn't realize they were out of sync with the rest of lodash. The goal was to keep the package size as small as possible. The new build system supports tree shaking, so it should be an easy switch, now. |
That’s great, because I had to relax my auditing configuration for the
app-extension I’m building for the Quasar framework, thanks for the
consideration!
|
I believe I have all of these fixed in my current PR for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You are using the modularized versions of lodash, and these are outdated. Specifically
lodash.merge
is vulnerable to prototype pollution: https://snyk.io/vuln/SNYK-JS-LODASHMERGE-173732I would recommend moving to lodash 4.17.11 or greater.
Here are the packages you are using:
Is there a reason not to just import like this:
The text was updated successfully, but these errors were encountered: