Regarding lodash version in grunt-legacy-util v 1.1.1

I am using grunt-legacy-util version 1.1.1

under that it’s I see below dependency where I am expecting lodash version as 4.17.15 but ,

I see as version 4.17.10 which is little old and I want to get the latest version of 4.17.15

grunt-legacy-util": {

  "version": "1.1.1",

  "resolved": "http:xxxx/grunt-legacy-util/-/grunt-legacy-util-1.1.1.tgz",

  "integrity": "...==",

  "dev": true,

  "requires": {

    "async": "~1.5.2",

    "exit": "~0.1.1",

    "getobject": "~0.1.0",

    "hooker": "~0.2.3",

    "lodash": "~4.17.10",

    "underscore.string": "~3.3.4",

    "which": "~1.3.0"

  },

Please help me getting the latest lodash v 4.17.15 as part of grunt-legacy-util v 1.1.1

Might need more context to explain as not seeing that:

$ npm init -y
...
$ npm install grunt-legacy-util@1.1.1
..
$ npm ls lodash
10022@1.0.0 /Users/john/Documents/Sandpits/npm.community/10022
└─┬ grunt-legacy-util@1.1.1
  └── lodash@4.17.15 

HI Thanks For your quick response

Please find the package.json file from the node modules of grunt-legacy-util v1.1.1

{

“_args”: [

[

“grunt-legacy-util@1.1.1”,

“C:\CodeBase\…”

]

],

“_development”: true,

“_from”: “grunt-legacy-util@1.1.1”,

“_id”: “grunt-legacy-util@1.1.1”,

“_inBundle”: false,

“_integrity”: “…==”,

“_location”: “/grunt-legacy-util”,

“_phantomChildren”: {},

“_requested”: {

“type”: “version”,

“registry”: true,

“raw”: “grunt-legacy-util@1.1.1”,

“name”: “grunt-legacy-util”,

“escapedName”: “grunt-legacy-util”,

“rawSpec”: “1.1.1”,

“saveSpec”: null,

“fetchSpec”: “1.1.1”

},

“_requiredBy”: [

“/grunt”

],

“_resolved”: “http:XXXXX/grunt-legacy-util/-/grunt-legacy-util-1.1.1.tgz”,

“_spec”: “1.1.1”,

“_where”: “C:\CodeBase\…”,

“author”: {

“name”: ““Cowboy” Ben Alman”,

“url”: “http://benalman.com/

},

“bugs”: {

“url”: “http://github.com/gruntjs/grunt-legacy-util/issues

},

“dependencies”: {

“async”: “~1.5.2”,

“exit”: “~0.1.1”,

“getobject”: “~0.1.0”,

“hooker”: “~0.2.3”,

“lodash”: “~4.17.10”,

“underscore.string”: “~3.3.4”,

“which”: “~1.3.0”

},

“description”: “Some old grunt utils provided for backwards compatibility.”,

“devDependencies”: {

“grunt”: “^1.0.2”,

“grunt-cli”: “^1.2.0”,

“grunt-contrib-jshint”: “^1.0.0”,

“grunt-contrib-nodeunit”: “^2.0.0”,

“grunt-contrib-watch”: “^1.0.0”,

“temporary”: “0.0.8”

},

“engines”: {

“node”: “>= 6”

},

“homepage”: “http://gruntjs.com/”,

“keywords”: [

“grunt”,

“legacy”

],

“license”: “MIT”,

“main”: “index.js”,

“name”: “grunt-legacy-util”,

“repository”: {

“type”: “git”,

“url”: “git://github.com/gruntjs/grunt-legacy-util.git”

},

“scripts”: {

“test”: “grunt test”

},

“version”: “1.1.1”

}

image001.jpg

I expect some other package you are using depends on lodash 4.17.10, which in term is acceptable to grunt-legacy-util and avoids duplicating the package.

Try running this to see how lodash is being pulled in:

npm ls lodash

±- async@2.6.3
| -- UNMET DEPENDENCY lodash@^4.17.14 +-- aws-sdk-mock@4.5.0 |– sinon@7.4.1
| -- @sinonjs/samsam@3.3.2 |– UNMET DEPENDENCY lodash@^4.17.11
-- grunt@1.0.4– grunt-legacy-log@2.0.0
±- grunt-legacy-log-utils@2.0.1
| -- UNMET DEPENDENCY lodash@~4.17.10– UNMET DEPENDENCY lodash@~4.17.5

npm ERR! missing: lodash@^4.17.14, required by async@2.6.3
npm ERR! missing: lodash@^4.17.11, required by @sinonjs/samsam@3.3.2
npm ERR! missing: lodash@~4.17.5, required by grunt-legacy-log@2.0.0
npm ERR! missing: lodash@~4.17.10, required by grunt-legacy-log-utils@2.0.1

Are you actually getting an old version of lodash being installed for grunt-legacy-util, or are you just concerned that “~4.17.10” appears in the package.json?

That is a semver range saying later minor versions are ok, and not a fixed version. A nice way to visualise what this means for a particular package is to play around on the calculator, and there are tips about ranges on the page too: https://semver.npmjs.com

yes you are right , i am getting old version of lodash v “~4.17.10” being installed for grunt-legacy-util which is not safe in terms of security vulnerability so i want to get rid of this.

Is the vulnerability reported by npm audit? Does it have a suggested fix? (I am guessing the answers are Yes and No, but checking!)

no this is reported by https://www.sonatype.com/appscan

Is your parent project a public one? (Updating transitive dependencies can be tricky, I don’t have any generic advice.)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.