fix: override lodash >=4.18.0 to patch code injection vulnerability #120
+2
-1
@@ -35,7 +35,8 @@
|
||||
"overrides": {
|
||||
"tar": "^7.5.11",
|
||||
"undici": "^7.24.3",
|
||||
"flatted": "^3.4.2"
|
||||
"flatted": "^3.4.2",
|
||||
"lodash": ">=4.18.0"
|
||||
}
|
||||
|
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
Reference in New Issue
Block a user
^4.18.0over>=4.18.0for consistency and safetyAll other overrides in this file (
tar,undici,flatted) use the caret (^) operator to stay within a major version. Using>=4.18.0is unbounded — it would accept lodash 5.x or later if such a version is ever released, which may introduce breaking API changes not accounted for by the plugin.Since the goal is simply to enforce the patched version while staying within the stable 4.x line,
^4.18.0is more appropriate.Prompt To Fix With AI
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!