[x] I've read through the Docs and Guides to make sure this functionality doesn't already exist
[x] I've searched open issues to make sure I'm not opening a duplicate issue
Victory is currently using v4.17.4 of lodash.
This version of lodash has a Prototype Pollution vulnerability which is fixed in v4.17.5.
https://snyk.io/vuln/npm:lodash:20180130
This causes Victory to be flagged by vulnerability-scanning services such as Snyk.
Victory's version should be updated to avoid having applications which implement it be exposed to this vulnerability.
@asos-robertmorgan thank you for pointing this out. I will update lodash in the next release.
fixed in the latest version.
Thanks @boygirl!
How comes that I am getting the same error, even after upgrading lodash to 4.17.10? Is it a cache issue? In my case, it is a dependency of cordova-android.
@aleksander351 The reason you're still seeing that error is, as you said, because it's a dependency of a dependency - cordova-android.
You'd need to raise an issue with each library that your application imports which is using the outdated dependency.
Here is @aleksander351 ' s ticket at Apache https://issues.apache.org/jira/browse/CB-14088
i am getting the same error even after updating lodash to the current version(4.17.10)
it is a dependency of mongoosastic ,
package : lodash
Dependency of : mongoosastic
Path: mongoosastic > elasticsearch >lodash
Most helpful comment
@aleksander351 The reason you're still seeing that error is, as you said, because it's a dependency of a dependency - cordova-android.
You'd need to raise an issue with each library that your application imports which is using the outdated dependency.