Latest version of plato (1.7.0) using a vulnerable version of lodash (4.13.1) about plato HOT 6 OPEN

from plato.

From: https://nodesecurity.io/advisories/577

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects.

Remediation
Update to version 4.17.5 or later.

@jsoverson Please fix this.

> npm audit


                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   plato [dev]

  Path            plato > lodash

  More info       https://nodesecurity.io/advisories/577

found 1 low severity vulnerability in 19605 scanned packages
  1 vulnerability requires manual review. See the full report for details.

from plato.

@jsoverson any chance we can update the dependency to >=4.17.5?

from plato.

@jsoverson sorry for the direct mentioning again. But any chance we can update the dependency to >=4.17.5 for the matter of security?

from plato.

+1 please

from plato.

I totally understand the desire but I'm hesitant to accept and publish any changes because it makes this project appear maintained when it isn't. This project needs active maintainers and there aren't any. If there is a fork that has been generally accepted as the-next-best-repo then I can link to it in the readme.

from plato.