🚨 Security Alert: gplint@latest Contains High-Severity Lodash Vulnerabilities

A critical dependency scan has flagged the gplint@latest package as containing two high-severity security vulnerabilities, both stemming from its use of the widely deployed lodash library. This exposes any project relying on this version of gplint to potential code injection and prototype pollution attacks, creating an immediate security risk for developers and their applications.

The scan identified two specific flaws within the bundled lodash dependency. The first is a high-severity code injection vulnerability in the `_.template` function, affecting versions 4.0.0 through 4.17.23. The second is a moderate-severity prototype pollution flaw via an array path bypass in `_.unset` and `_.omit`, present in all versions up to 4.17.23. These are not theoretical risks; they are known vectors that could allow attackers to execute arbitrary code or manipulate object prototypes, compromising application integrity.

Maintainers and developers using gplint are urged to take immediate action. The recommended fix is to run `npm audit fix` or, if necessary, `npm audit fix --force` to update the underlying lodash dependency to a patched version. Failure to patch leaves projects vulnerable to exploitation, potentially leading to data breaches or system compromise. This alert underscores the persistent security challenges within the JavaScript and npm ecosystem, where a single vulnerable transitive dependency can cascade risk across countless applications.