Current used version is 4.17.15.
Please refer to https://nvd.nist.gov/vuln/detail/CVE-2020-8203 and consider update to 4.17.20 (latest).
this issue will fail any automated security scanning and it is preventing users from consuming this package. There is no fixing lodash-es and it is permanently stuck at .15 which has a critical security issue. Until this is fixed, the current version is unusable.
@slangberg is right. [email protected] needs to be removed to avoid the security flag. The normal version of lodash-es can be controlled via upgrading or adding to resolutions, but lodash-ES is locked, and is a vulnerability.
Most helpful comment
@slangberg is right. [email protected] needs to be removed to avoid the security flag. The normal version of lodash-es can be controlled via upgrading or adding to resolutions, but lodash-ES is locked, and is a vulnerability.