npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Regarding lodash version in grunt-legacy-util v 1.1.1

I am using grunt-legacy-util version 1.1.1

under that it’s I see below dependency where I am expecting lodash version as 4.17.15 but ,

I see as version 4.17.10 which is little old and I want to get the latest version of 4.17.15

grunt-legacy-util": {

  "version": "1.1.1",

  "resolved": "http:xxxx/grunt-legacy-util/-/grunt-legacy-util-1.1.1.tgz",

  "integrity": "...==",

  "dev": true,

  "requires": {

    "async": "~1.5.2",

    "exit": "~0.1.1",

    "getobject": "~0.1.0",

    "hooker": "~0.2.3",

    "lodash": "~4.17.10",

    "underscore.string": "~3.3.4",

    "which": "~1.3.0"


Please help me getting the latest lodash v 4.17.15 as part of grunt-legacy-util v 1.1.1

Might need more context to explain as not seeing that:

$ npm init -y
$ npm install grunt-legacy-util@1.1.1
$ npm ls lodash
10022@1.0.0 /Users/john/Documents/Sandpits/
└─┬ grunt-legacy-util@1.1.1
  └── lodash@4.17.15 

HI Thanks For your quick response

Please find the package.json file from the node modules of grunt-legacy-util v1.1.1


“_args”: [






“_development”: true,

“_from”: “grunt-legacy-util@1.1.1”,

“_id”: “grunt-legacy-util@1.1.1”,

“_inBundle”: false,

“_integrity”: “…==”,

“_location”: “/grunt-legacy-util”,

“_phantomChildren”: {},

“_requested”: {

“type”: “version”,

“registry”: true,

“raw”: “grunt-legacy-util@1.1.1”,

“name”: “grunt-legacy-util”,

“escapedName”: “grunt-legacy-util”,

“rawSpec”: “1.1.1”,

“saveSpec”: null,

“fetchSpec”: “1.1.1”


“_requiredBy”: [



“_resolved”: “http:XXXXX/grunt-legacy-util/-/grunt-legacy-util-1.1.1.tgz”,

“_spec”: “1.1.1”,

“_where”: “C:\CodeBase\…”,

“author”: {

“name”: ““Cowboy” Ben Alman”,

“url”: “


“bugs”: {

“url”: “


“dependencies”: {

“async”: “~1.5.2”,

“exit”: “~0.1.1”,

“getobject”: “~0.1.0”,

“hooker”: “~0.2.3”,

“lodash”: “~4.17.10”,

“underscore.string”: “~3.3.4”,

“which”: “~1.3.0”


“description”: “Some old grunt utils provided for backwards compatibility.”,

“devDependencies”: {

“grunt”: “^1.0.2”,

“grunt-cli”: “^1.2.0”,

“grunt-contrib-jshint”: “^1.0.0”,

“grunt-contrib-nodeunit”: “^2.0.0”,

“grunt-contrib-watch”: “^1.0.0”,

“temporary”: “0.0.8”


“engines”: {

“node”: “>= 6”


“homepage”: “”,

“keywords”: [




“license”: “MIT”,

“main”: “index.js”,

“name”: “grunt-legacy-util”,

“repository”: {

“type”: “git”,

“url”: “git://”


“scripts”: {

“test”: “grunt test”


“version”: “1.1.1”



I expect some other package you are using depends on lodash 4.17.10, which in term is acceptable to grunt-legacy-util and avoids duplicating the package.

Try running this to see how lodash is being pulled in:

npm ls lodash

±- async@2.6.3
| -- UNMET DEPENDENCY lodash@^4.17.14 +-- aws-sdk-mock@4.5.0 |– sinon@7.4.1
| -- @sinonjs/samsam@3.3.2 |– UNMET DEPENDENCY lodash@^4.17.11
-- grunt@1.0.4– grunt-legacy-log@2.0.0
±- grunt-legacy-log-utils@2.0.1
| -- UNMET DEPENDENCY lodash@~4.17.10– UNMET DEPENDENCY lodash@~4.17.5

npm ERR! missing: lodash@^4.17.14, required by async@2.6.3
npm ERR! missing: lodash@^4.17.11, required by @sinonjs/samsam@3.3.2
npm ERR! missing: lodash@~4.17.5, required by grunt-legacy-log@2.0.0
npm ERR! missing: lodash@~4.17.10, required by grunt-legacy-log-utils@2.0.1

Are you actually getting an old version of lodash being installed for grunt-legacy-util, or are you just concerned that “~4.17.10” appears in the package.json?

That is a semver range saying later minor versions are ok, and not a fixed version. A nice way to visualise what this means for a particular package is to play around on the calculator, and there are tips about ranges on the page too:

yes you are right , i am getting old version of lodash v “~4.17.10” being installed for grunt-legacy-util which is not safe in terms of security vulnerability so i want to get rid of this.

Is the vulnerability reported by npm audit? Does it have a suggested fix? (I am guessing the answers are Yes and No, but checking!)

no this is reported by

Is your parent project a public one? (Updating transitive dependencies can be tricky, I don’t have any generic advice.)