Hi,
We detect two alerts from our product as below. Could you please help us complete the changes to upgrade lodash to 4.17.21 for these packages jsonrpc-websocket-client json-rpc-peer and bump their versions in npm too?
Thanks,
Yvonne
Alert 1
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Alert 2
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Hi,
We detect two alerts from our product as below. Could you please help us complete the changes to upgrade lodash to 4.17.21 for these packages jsonrpc-websocket-client json-rpc-peer and bump their versions in npm too?
Thanks,
Yvonne
Alert 1
Alert 2