React-color: Update lodash dependency (see CVE-2020-8203)

Created on 16 Sep 2020  路  2Comments  路  Source: casesandberg/react-color

Current used version is 4.17.15.
Please refer to https://nvd.nist.gov/vuln/detail/CVE-2020-8203 and consider update to 4.17.20 (latest).

Most helpful comment

@slangberg is right. [email protected] needs to be removed to avoid the security flag. The normal version of lodash-es can be controlled via upgrading or adding to resolutions, but lodash-ES is locked, and is a vulnerability.

All 2 comments

this issue will fail any automated security scanning and it is preventing users from consuming this package. There is no fixing lodash-es and it is permanently stuck at .15 which has a critical security issue. Until this is fixed, the current version is unusable.

@slangberg is right. [email protected] needs to be removed to avoid the security flag. The normal version of lodash-es can be controlled via upgrading or adding to resolutions, but lodash-ES is locked, and is a vulnerability.

Was this page helpful?
0 / 5 - 0 ratings