From c258d825dd25a3c090b6371c832ea20d6ec98dea Mon Sep 17 00:00:00 2001
From: Jason Brown <jason.brown.delta@gmail.com>
Date: Fri, 26 Jul 2019 17:38:45 +0100
Subject: [PATCH] fix vulnerability in lodash
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prototype Pollution
Vulnerable module: lodash
Introduced through: graphql-cli@3.0.12
Detailed paths
Introduced through: @spherehq/database@0.13.1 › graphql-cli@3.0.12 › graphql-cli-prepare@1.4.19 › lodash@4.17.5
Remediation: No remediation path available.
Vulnerable Functions
lodash.safeGet

Overview
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This is due to an incomplete fix to CVE-2018-3721.
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index f20a587c2..8a5278889 100644
--- a/package.json
+++ b/package.json
@@ -42,6 +42,6 @@
     "fs-extra": "5.0.0",
     "graphql-import": "0.4.5",
     "graphql-static-binding": "0.9.3",
-    "lodash": "4.17.5"
+    "lodash": "4.17.11"
   }
 }