URGENT: Corvid-cli high-risk vulnerability

@sheyla @reinhardts

Sometime last month, one of the dependency packages for corvid-cli was found to have a very high-risk prototype pollution vulnerability:
https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/

Since then, the dependency package has received a patch, but does not ship by default with the current version of the corvid-cli package. This is a vital 5 minute fix, so please pass it on ASAP :slight_smile:

2 Likes

I’ll make sure this gets to the right people :smiling_face:

Thanks Sheyla!

@sheyla


I noticed an update roll out, but it looks like the corvid parent package is still using an outdated version of lodash, the corvid-cli package is now all set. Please refer the team to these screenshots, and thank you for taking this seriously!

Hi David! I just wanted to let you know that a fix will be pushed tomorrow morning. Thank you so much for spotting this and sending it our way.

Thank you!