Recently lodash
package reported a security vulnerability issue on the github page. You can find details here. https://github.com/lodash/lodash/issues/5083.
This latest version of lodash has security vulnerability of Command Injection (CVE-2021-23337). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337 https://snyk.io/vuln/SNYK-JS-LODASH-1040724 All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
They have resolved the issue and its fix is present in the lodash v4.17.21.
I am using the Angular 10 version. I am not using lodash directly but, One of the angular package that is @angular/[email protected]
internally uses uses @babel/[email protected]
and this babel internally uses [email protected]
.
Angular people will update the version number in their latest release and currently, I don't want to upgrade to the latest version of angular. Therefore, my question is how can I update only the lodash package, a child dependent(required dependency package for babel/core) from [email protected] to v4.17.21 ?
npm update lodash
did the trick for me.This isn't exactly what you asked for because it updates to the latest
lodash
that satisfies the requirements of your dependencies, rather than the specific version4.17.21
. It just so happens that (at the time of this writing), that latest version for@angular/localize
is4.17.21
. If you genuinely need a specific version that isn't the latest that satisfies your dependencies, read on.Let's say, hypothetically, you wanted to update to
4.17.20
. You might trynpm update [email protected]
. Alas, that doesn't work. The command runs fine, but doesn't update anything. In that case, you'd have tonpm install [email protected]
first. That will update all your dependencies as well (assuming4.17.20
satisfies their requirements). Thennpm uninstall [email protected]
to remove it from your direct dependencies.