How long do CVE mitigations take to update?

lodash v4.17.21 was just released that resolves the two CVEs that lodash v4.17.20 are vulnerable to. How long does it take for tidelift to recognize that, and to update the “issues” section of affected lifted packages to be no longer vulnerable?

1 Like

@ljharb we’re syncing frequently, and although it’s not immediate, it should update pretty quickly. I see that v4.17.21 is now recognized in the system as of today, so I’ll ask the team to take a look at what caused the delay.

Thank you for reporting!

1 Like

I posted like 10 minutes after it was released, so some delay is fine, but Tidelift is not yet updated while Tidelift is, so i guess it’ll get to it eventually?