Medium severity vulnerability found in lodash

[dep-deprecated]

snyk reports a Regular Expression Denial of Service vulnerability on one of your dependencies, lodash 4.17.5.

✗ Medium severity vulnerability found in lodash
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-JS-LODASH-73639
  Introduced through: snyk@1.89.0
  From: snyk@1.89.0 > lodash@4.17.5
  Remediation:
    Your dependencies are out of date, otherwise you would be using a newer version of lodash. 
    Try deleting node_modules, reinstalling and running `snyk test` again. If the problem persists, one of your dependencies may be bundling outdated modules.

and

Analyzing npm dependencies for package.json
Querying vulnerabilities database...
Tested 255 dependencies for known vulnerabilities, found 3 vulnerabilities, 23 vulnerable paths.

? 2 vulnerabilities introduced via async@2.6.1
- info: https://snyk.io/package/npm/async/2.6.1

Thanks in advance!

[dscalzi]

Bump

[aearly]

We don't use that method so it doesn't apply to us. We removed lodash in v3.0. I think there were some issues for us to migrate off that minor version of lodash on the 2.x line of Async.

…

On Fri, Feb 8, 2019, 2:12 AM Daniel Scalzi ***@***.*** wrote: Bump — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1620 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAiEbmULsTIq6AwY5RHZJNcM60O1Lw7tks5vLWmygaJpZM4ah0sH> .

[dscalzi]

I think a simple patch update would do the trick.

or set v3.0.0 as latest on npm, as currently it's just next and not shown by npm outdated

[aearly]

Updating lodash was no issue, I've published v2.6.2 with the update.