Lodash security vulnerabilities #55
Description
Hi there,
Noticed a bunch of security vulnerabilities within gulp-mjml. Most seem related to the version of lodash being used in the mjml package gulp-mjml uses. Possible to bump the versions of lodash referenced within the various mjml modules?
Example warning:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Lodash Package for Node.js .internal/baseZipObject.js │
│ │ baseZipObject() Function Property Manipulation Resource │
│ │ Exhaustion DoS │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-mjml [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gulp-mjml > mjml > mjml-section > mjml-core > │
│ │ mjml-parser-xml > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://vulndb.cyberriskanalytics.com/vulnerabilities/228535 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Edit
Looks like the security warnings are coming from the mjml lib itself. Will check with them.
Edit 2
More research shows this is being addressed by the lodash team. See the following issue and PRs:
https://github.com/lodash/lodash/issues/4775
lodash/lodash#4745
lodash/lodash#4759