SECURITY: Upgrade lodash

SECURITY: Upgrade lodash

There is a security hole in lodash with prototype pollution. It’s not clear if Discourse is affected but to be on the safe side we will upgrade right away.

Note that the front end Discourse does not appear to use defaultsDeep in our custom build and should be protected.

diff --git a/yarn.lock b/yarn.lock
index e8b5afbe81..7cac477924 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1467,9 +1467,9 @@ linkify-it@^2.0.0:
     uc.micro "^1.0.1"
 
 lodash@^4.17.11, lodash@^4.17.4, lodash@^4.2.0, lodash@^4.3.0:
-  version "4.17.11"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.11.tgz#b39ea6229ef607ecd89e2c8df12536891cac9b8d"
-  integrity sha512-cQKh8igo5QUhZ7lg38DYWAxMvjSAKG0A8wGSVimP07SIUEK2UO+arSRKbRZWtelMtN5V0Hkwh5ryOto/SshYIg==
+  version "4.17.14"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.14.tgz#9ce487ae66c96254fe20b599f21b6816028078ba"
+  integrity sha512-mmKYbW3GLuJeX+iGP+Y7Gp1AiGHGbXHCOh/jZmrawMmsE7MS4znI3RL2FsjbqOyMayHInjOeykW7PEajUk1/xw==
 
 lolex@^2.3.2:
   version "2.7.5"

GitHub sha: 2f91f88d

while you merge the yarn.lock change. but in master there is also DEV: updates lodash to 4.17.13 (#7883) · discourse/discourse@afe922c · GitHub

are those additional changes in the pipeline for stable?

Discourse does not use defaultsDeep so it is not affected. We decided to automate upgrading lodash after this fix but it is not security.

ok thank you for the clarification. I was just confused by seeing different commit sets for the branches.