Skip to content

Commit

Permalink
Workaround lodash security vulnerability in instagram-private-api
Browse files Browse the repository at this point in the history 
`instagram-private-api` uses a deprecated version of `request-promise`
which uses a vulnerable version of `lodash`.

We simply force the use of a more recent version of `lodash` as `request-promise`
doesn't use lodash 3.x specific code.
  • Loading branch information
@yannrouillard
yannrouillard committed Nov 29, 2018
1 parent 2c321cd commit caef364
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 309 deletions.
3 changes: 2 additions & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@
"yargs": "^12.0.2"
},
"resolutions": {
"instagram-private-api/tough-cookie-filestore/tough-cookie": "^2.3.3"
"instagram-private-api/tough-cookie-filestore/tough-cookie": "^2.3.3",
"instagram-private-api/request-promise": "^4.2.2"
},
"devDependencies": {
"eslint": "^5.7.0",
Expand Down
Loading

0 comments on commit caef364

Please sign in to comment.