Skip to content

npm-check-fork is pinning an older version of lodash, which now has a security issue #5743

Open
Open
npm-check-fork is pinning an older version of lodash, which now has a security issue#5743
@kgetz-arista

Description

@kgetz-arista
kgetz-arista
opened on Apr 2, 2026

lodash 4.17.x is being used here: https://github.com/microsoft/rushstack/blob/main/libraries/npm-check-fork/package.json#L45

However, that version now has multiple security issues:

GHSA-r5fr-rjxr-66jc
GHSA-f23m-r3pf-42rh

Recommendation: use ^ for version ranges, not ~. I see that a similar issue (#5742) was filed against another package in the repo.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    Bug Triage

    Status

    Needs triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions