The popular package Lodash was in high severe pollution and got alert from GitHub.


Upgrade lodash to version 4.17.13 or later. For example:
"dependencies": {
  "lodash": ">=4.17.13"
"devDependencies": {
  "lodash": ">=4.17.13"
Always verify the validity and compatibility of suggestions with your codebase.


CVE-2019-10744 More information
high severity
Vulnerable versions: < 4.17.13
Patched version: 4.17.13
Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.