Upgrade Lodash in UI projects

Description

Our audits revealed an issue in Lodash library we are using extensively:
https://www.npmjs.com/advisories/1523

It has low severity and there were 4 versions released two days ago: https://www.npmjs.com/package/lodash
so let's wait few days for it to be stabilised and then update all 5 projects.

Activity

Show:
Jakub Niezgoda
July 10, 2020, 7:04 AM
Edited

If Alex agree to do that within 5.1, let’s do that next week when you are available.

Alex Molev
July 10, 2020, 7:57 AM

Let’s do it

Jakub Niezgoda
July 20, 2020, 6:59 AM

Thanks for updating stage, composer and components.

I found that dependabot created also PRs for topology: and common. As lodash is not direct dependency for none of those packages, those PRs update lock files only. I roughly checked what is the reason and it looks like at least babel could be upgraded to provide newer version of lodash, but probably there is more. Could you check that? I’d be grateful.

IMHO if there’s many to update, let’s then just merge those bump PRs. If we can avoid fixing only lock files (which can be easily lost when doing npm install), then great.

Jakub Madej
July 20, 2020, 7:55 AM

For topology and common affected lodash version is indirect devDependency. So far we paid zero attention to devDependencies security alerts. I’d just merge these PRs and put no further effort into it.

Jakub Niezgoda
July 20, 2020, 9:03 AM

OK, this is what I’ll do.

Done

Assignee

Jakub Madej

Reporter

Jakub Niezgoda

Target Version

5.1

QA Owner

None

Premium Only

no

Documentation Required

None

Why Blocked?

None

Release Notes

yes

Priority

None

Story Points

2

Epic Link

Sprint

None

Priority

Unprioritized
Configure