jfcere / ngx-markdown / 44a1a4e3-daa6-4d8e-aeae-43961db880ed

97%

master: 97%

Pull #636

circleci

fix: override lodash and lodash-es to >=4.18.0 to resolve CVEs

Add npm overrides for lodash and lodash-es to force >=4.18.0 across
all transitive dependencies. This resolves two high-severity
vulnerabilities in lodash <=4.17.23:

- GHSA-r5fr-rjxr-66jc (Code Injection via _.template imports)
- GHSA-f23m-r3pf-42rh (Prototype Pollution via _.unset and _.omit)

The vulnerable lodash versions are transitive dependencies brought in
by karma (lodash) and mermaid/chevrotain (lodash-es). Upstream fixes
are pending (karma-runner/karma#3931, Chevrotain/chevrotain#2184),
so overrides are the practical fix for now.

Closes #635

110 of 119 branches covered (92.44%)

Branch coverage included in aggregate %.

308 of 313 relevant lines covered (98.4%)

24.65 hits per line