Sometime last month, one of the dependency packages for corvid-cli was found to have a very high-risk prototype pollution vulnerability:
Since then, the dependency package has received a patch, but does not ship by default with the current version of the corvid-cli package. This is a vital 5 minute fix, so please pass it on ASAP
I’ll make sure this gets to the right people
I noticed an update roll out, but it looks like the corvid parent package is still using an outdated version of lodash, the corvid-cli package is now all set. Please refer the team to these screenshots, and thank you for taking this seriously!
Hi David! I just wanted to let you know that a fix will be pushed tomorrow morning. Thank you so much for spotting this and sending it our way.