Lodash dependency vulnerability in enigma-js npm package


I’m working with a public repo I created for the enigma-discovery CLI getting started guide.

Github warned me that there’s a security vulnerability in lodash, which is coming from the jayson@2.1.2 dependency used by enigma-js@0.0.5 . Just wanted to give a heads up in case it’s possible for Enigma to update their version of jayson to solve the issue. I’m not sure if it’s possible for end users depending on enigma-js to override the lodash dependency version themselves.

➜  enigma-discovery git:(master) npm ls lodash
myproject@1.0.0 /Users/dwarrier/WebstormProjects/enigma-discovery
└─┬ enigma-js@0.0.5
  └─┬ jayson@2.1.2
    └── lodash@4.17.11


Thanks @crypto_mentions, we’re well aware of it, and it’s being addressed in https://github.com/enigmampc/enigma-contract/pull/123 which will be merged today into develop. lodash is a dependency of a few other packages, so other items needed to be reviewed as well. We’re also pushing a merge from develop to master this week.

This has been addressed as of the new release announced here:

1 Like

Thank you for the link and the update here, Victor!