Skip to content
This repository has been archived by the owner on Jul 17, 2024. It is now read-only.

@elastic/datemath contains lodash version with Critical Security Vulnerability #191

Open
danverd opened this issue Oct 22, 2021 · 2 comments
Open

@elastic/datemath contains lodash version with Critical Security Vulnerability #191

danverd opened this issue Oct 22, 2021 · 2 comments
Assignees
@warrenv
Labels
Type: Tech Debt

Comments

@danverd
Copy link

danverd commented Oct 22, 2021

It appears that the project is using @elastic/datemath v2.5.0. This version of datemath contains a lodash version that has a security vulnerability. Seems that datemath is on v4.0.2 at this point. Not sure the procedures of this repo, but should I go ahead and create a PR with this updated version? Is there a process of testing backwards compatibility? Thanks!
@warrenv warrenv self-assigned this Nov 1, 2021
@warrenv
Copy link
Contributor

warrenv commented Nov 1, 2021

Thanks for the heads up Daniel.
I am going to be working to get all packages updated in the next week or two. This will involve expanding the test coverage to make future package updates go smoother.

@warrenv
Copy link
Contributor

warrenv commented Nov 2, 2021
edited
Loading

@danverd It looks like there are some unit tests covering the date utils.
If you'd like to try bumping the version of @elastic/datemath and see if the unit tests run that would be very helpful.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@warrenv warrenv

Labels
Type: Tech Debt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@warrenv @danverd