fix: override lodash >=4.18.0 to patch code injection vulnerability #51
+2
-1
@@ -44,6 +44,7 @@
|
|||||||
},
|
},
|
||||||
"overrides": {
|
"overrides": {
|
||||||
"tar": "^7.5.11",
|
"tar": "^7.5.11",
|
||||||
"undici": "^7.24.3"
|
"undici": "^7.24.3",
|
||||||
|
"lodash": ">=4.18.0"
|
||||||
}
|
}
|
||||||
|
|
|||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user
The constraint
>=4.18.0allows resolution to any future major version of lodash (e.g. 5.x, 6.x), which could introduce breaking API changes silently. Since this override is solely targeting a security fix within the 4.x line, constraining to^4.18.0(i.e.>=4.18.0 <5.0.0) is safer and matches the precedent of the other overrides in this file.Prompt To Fix With AI