Outdated Lodash Dependency

[MT5W4FLOP80]

Hi,

It appears that the latest version of @semantic-release/github has a transitive dependency for Lodash 4.2.1 (please see the screenshot). The outdated version of Lodash is vulnerable to the following security vulnerabilities:

lodash.capitalize/4.2.1:
CVE-2018-3721
CVE-2019-1010266
CVE-2020-28500
CVE-2018-16487
CVE-2019-10744
CVE-2020-8203
CVE-2021-23337

Could you please investigate this matter and consider updating the Lodash dependency to a secure version?

Thank you

[travi]

@MT5W4FLOP80 in the future, when reporting a potential security concern, please follow our security policy and avoid reporting through a public issue like this one.

could you please help me understand what led you to believe that there is a dependency on a vulnerable version of lodash? you've linked to a number of CVEs for lodash, but have highlighted that the actual dependency is lodash.capitalize. that is different than the full version of lodash and is released on a different cadence than the full lodash package. each of the CVEs listed above mention the lodash methods that are vulnerable and none mention capitalize.

running npm audit --production and snyk test on the issue-parser package both report no vulnerabilities.

everything that i have investigated suggests that there are no known vulnerabilities related to our dependency on issue-parser. are you using a tool that is reporting different information or do you have knowledge beyond what the tools I have explored are reporting?

again, if you have information that would disclose a security problem without us being able to coordinate a fix before public disclosure, please leverage our security policy instead of sharing that information here.