react-scripts: Babel < 7.5.0 uses unsafe version of lodash

Created by: thefivetoes

Describe the bug

react-scripts is using @babel/core 7.4.3 which uses lodash < 4.17.13 and is subject to CVE-2019-10744.

Please upgrade to @babel/core 7.5.0, which uses lodash 4.17.13 and is not subject to the vulnerability.

Did you try recovering your dependencies?

N/A

Which terms did you search for in User Guide?

N/A

Environment

Environment:
  OS:  macOS High Sierra 10.13.6
  Node:  10.15.3
  Yarn:  1.3.2
  npm:  6.4.1
  Watchman:  4.7.0
  Xcode:  Not Found
  Android Studio:  Not Found

Packages: (wanted => installed)
  react: ^16.8.4 => 16.8.6
  react-dom: ^16.8.4 => 16.8.6
  react-scripts: 3.0.1 => 3.0.1

Steps to reproduce

N/A

Expected behavior

Using the latest version of babel should not trigger Github "Known security vulnerabilities detected" warnings.

Actual behavior

Github is sending notifications that our project is a version of lodash that is known to be insecure:

Reproducible demo

N/A

Created by: heyimalex

Babel 7.4.3 depends on lodash ^4.17.11, which will resolve to 4.17.13 today. It's annoying, but I don't think we need to change anything on our end. You can fix this on yours by recovering your dependencies.

Created by: thefivetoes

Ah thanks @heyimalex, my mistake. Definitely should have tried that (I read that section but didn't think it applied here ). I assume that this will be good enough of a solution to quiet down the Github security vulnerabilities alerts. Closing this issue and my corresponding PR.

Thanks!

Created by: heyimalex

No worries! It’s honestly a pretty confusing system.