multiple vulnerabilities that exist in lodash.findlast #5832

michaelrodov · 2024-03-18T12:22:51Z

Hi
I see multiple vulnerabilities that exist in lodash.findlast
in the latest version (4.6.0)

BDSA-2019-3842
BDSA-2020-3839
CVE-2020-8203 (BDSA-2020-1674)
CVE-2021-23337 (BDSA-2021-0392)
CVE-2019-10744 (BDSA-2019-2112)

When is it planned to attend these vulnerabilities
thank you!

johnmc-tc · 2024-03-19T09:28:45Z

In the same boat. They've been flagged by our security tools as Critical and we need to remediate. Any plans to address these?

mihob · 2024-04-18T13:53:36Z

Any news on this issue?

Trott · 2024-04-18T15:36:24Z

The Lodash documentation encourages people to stop using per-method packages like lodash.findlast and install lodash instead. That won't help for indirect dependencies, but you know, FYI, if you're using lodash.findlast directly, perhaps consider switching to lodash and using _.findlast() that way instead.

mihob · 2024-04-18T15:39:53Z

In our case, it is lodash.template and a sub-dependency of another package. That's why we can't do anything about it directly.

carlgieringer mentioned this issue Mar 26, 2024

Remove lodash Howdju/howdju#674

Open

arnaudbesnier mentioned this issue Apr 25, 2024

lodash.template security vulnerability oclif/plugin-warn-if-update-available#589

Closed

Provide feedback