Skip to content

npm-check-fork is pinning an older version of lodash, which now has a security issue #5743

Description

@kgetz-arista

lodash 4.17.x is being used here: https://github.com/microsoft/rushstack/blob/main/libraries/npm-check-fork/package.json#L45

However, that version now has multiple security issues:

GHSA-r5fr-rjxr-66jc
GHSA-f23m-r3pf-42rh

Recommendation: use ^ for version ranges, not ~. I see that a similar issue (#5742) was filed against another package in the repo.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Closed

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions