From 154ad2b402257ee9fa7312b29ffe20dbf47f999c Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Thu, 11 Jul 2019 10:42:46 -0400 Subject: [PATCH] SECURITY: Upgrade lodash There is a security hole in lodash with prototype pollution. It's not clear if Discourse is affected but to be on the safe side we will upgrade right away. Note that the front end Discourse does not appear to use `defaultsDeep` in our custom build and should be protected. --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index e8b5afbe81..7cac477924 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1467,9 +1467,9 @@ linkify-it@^2.0.0: uc.micro "^1.0.1" lodash@^4.17.11, lodash@^4.17.4, lodash@^4.2.0, lodash@^4.3.0: - version "4.17.11" - resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.11.tgz#b39ea6229ef607ecd89e2c8df12536891cac9b8d" - integrity sha512-cQKh8igo5QUhZ7lg38DYWAxMvjSAKG0A8wGSVimP07SIUEK2UO+arSRKbRZWtelMtN5V0Hkwh5ryOto/SshYIg== + version "4.17.14" + resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.14.tgz#9ce487ae66c96254fe20b599f21b6816028078ba" + integrity sha512-mmKYbW3GLuJeX+iGP+Y7Gp1AiGHGbXHCOh/jZmrawMmsE7MS4znI3RL2FsjbqOyMayHInjOeykW7PEajUk1/xw== lolex@^2.3.2: version "2.7.5"