[Snyk] Security upgrade lodash from 4.17.20 to 4.17.23#159
[Snyk] Security upgrade lodash from 4.17.20 to 4.17.23#159
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
There was a problem hiding this comment.
Pull request overview
This is an automated Snyk security PR that upgrades lodash in the Framer components package to fix a Prototype Pollution vulnerability (SNYK-JS-LODASH-15053838).
Changes:
- Updated lodash dependency from ^4.17.19 to ^4.17.23 in the Framer components package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@material-ui/icons": "^5.0.0-alpha.4", | ||
| "@material-ui/utils": "^5.0.0-alpha.1", | ||
| "lodash": "^4.17.19" | ||
| "lodash": "^4.17.23" |
There was a problem hiding this comment.
The PR description states this upgrade is from lodash 4.17.20 to 4.17.23, but the diff shows the upgrade is from 4.17.19 to 4.17.23. This discrepancy should be noted, though it doesn't affect the security fix since both 4.17.19 and 4.17.20 contain the vulnerability being addressed.
| "@material-ui/utils": "^5.0.0-alpha.1", | ||
| "lodash": "^4.17.19" | ||
| "lodash": "^4.17.23" | ||
| }, |
There was a problem hiding this comment.
The yarn.lock file at framer/Material-UI.framerfx/yarn.lock still references lodash version 4.17.19 (see lines 223-226) and has not been updated to reflect the package.json change to 4.17.23. This means that even with this PR merged, the vulnerable version 4.17.19 will continue to be installed, and the security fix will not actually be applied. The yarn.lock file must be updated by running 'yarn install' or 'yarn upgrade lodash@^4.17.23' in the framer/Material-UI.framerfx directory before merging this PR.
| }, | |
| }, | |
| "resolutions": { | |
| "lodash": "^4.17.23" | |
| }, |
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
framer/Material-UI.framerfx/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution