https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fjh.fyi%2Fmedia%2Fimages%2Ficons%2Ftech%2Ficon-lodash.png&f=1&nofb=1
The popular package Lodash was in high severe pollution and got alert from GitHub.





Remediation

Upgrade lodash to version 4.17.13 or later. For example:
"dependencies": {
  "lodash": ">=4.17.13"
}
or…
"devDependencies": {
  "lodash": ">=4.17.13"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2019-10744 More information
high severity
Vulnerable versions: < 4.17.13
Patched version: 4.17.13
Affected versions of lodash are vulnerable to Prototype Pollution.
The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.


https://github.com/kueiapp/typescript-express-mongodb/network/alert/package-lock.json/lodash/open
https://github.com/lodash/lodash/pull/4336