Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency lodash to v4.17.21 #13963

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency lodash to v4.17.21 #13963

wants to merge 1 commit into from

Conversation

mrnonz
Copy link

@mrnonz mrnonz commented Jan 17, 2022
edited

Pull Request Checklist

Please make sure to review and check all of these items:

  • Have you added new tests to prevent regressions?
  • Does npm run test or npm run test-DIALECT pass with this change (including linting)?
  • Is a documentation update included (if this change modifies existing APIs, or introduces new ones)?
  • Did you update the typescript typings accordingly (if applicable)?
  • Does the description below contain a link to an existing issue (Closes #[issue]) or a description of the issue you are solving?
  • Did you follow the commit message conventions explained in CONTRIBUTING.md?

Description Of Change

This PR is updating lodash to the most recent version to cater for anyone who is still on v5 and who wants to get rid of CVE-2021-23337 and CVE-2020-28500.

@WikiRik
Copy link
Member

WikiRik commented Jan 17, 2022

Hi! Thanks for the PR! Aren't you able to already update lodash to the newest version because of the ^?

@mrnonz
Copy link
Author

mrnonz commented Jan 17, 2022

I had the problem with lock file

lodash@^4.16.4, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.19, lodash@^4.17.5:
  version "4.17.20"
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.20.tgz#b44a9b6297bcb698f1c51a3545a2b3b368d59c52"
  integrity sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA==

It's resolved to lodash@v4.17.20 rather than lodash@v4.17.21, so I'll have to manually fix this. I believe that many sequelize@v5 users will be pleased with the PR.

@WikiRik
Copy link
Member

WikiRik commented Jan 17, 2022

When I use npm 8.3.0 on a new project and only install sequelize@5 as a dependency I get sequelize version 5.22.5 and lodash version 4.17.21. With yarn 1.22.17 the same. Therefore I will close this PR.

I think you should get the same results if you run yarn upgrade or by removing node_modules folder and yarn.lock file and running yarn install.

@WikiRik WikiRik closed this Jan 17, 2022
@mrnonz
Copy link
Author

mrnonz commented Jan 18, 2022

I'm aware of this, but I believe it will be useful to many people as they attempt to upgrade various projects with regard to security.

Let’s see this PR on axios axios/axios#4379 (comment)

Thank you for your assistance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mrnonz @WikiRik