The popular package Lodash was in high severe pollution and got alert from GitHub.



Remediation

Upgrade lodash to version 4.17.13 or later. For example:
"dependencies": {
  "lodash": ">=4.17.13"
}
or…
"devDependencies": {
  "lodash": ">=4.17.13"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2019-10744 More information
high severity
Vulnerable versions: < 4.17.13
Patched version: 4.17.13
Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.


https://github.com/kueiapp/typescript-express-mongodb/network/alert/package-lock.json/lodash/open
https://github.com/lodash/lodash/pull/4336