We keep getting a dependabot alert around lodash and code connect. From npm audit. We would like the features of higher code connect versions but run into this on versions above 1.3.5:
lodash <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix --force`
Will install @figma/code-connect@1.3.5, which is a breaking change
node_modules/lodash
@figma/code-connect >=1.3.6
Depends on vulnerable versions of lodash
node_modules/@figma/code-connect
We keep getting a dependabot alert around lodash and code connect. From
npm audit. We would like the features of higher code connect versions but run into this on versions above 1.3.5: