lodash v4.17.21 was just released that resolves the two CVEs that lodash v4.17.20 are vulnerable to. How long does it take for tidelift to recognize that, and to update the “issues” section of affected lifted packages to be no longer vulnerable?
@ljharb we’re syncing frequently, and although it’s not immediate, it should update pretty quickly. I see that v4.17.21 is now recognized in the system as of today, so I’ll ask the team to take a look at what caused the delay.
Thank you for reporting!