Critical Volnerability in Vorpal - Regular Expression Denial of Service (ReDoS) in old lodash

[OZZlE]

lodash  <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Will install @frctl/fractal@1.5.15, which is outside the stated dependency range
node_modules/vorpal/node_modules/inquirer/node_modules/lodash
  inquirer  <=0.11.4
  Depends on vulnerable versions of lodash
  node_modules/vorpal/node_modules/inquirer
    vorpal  *
    Depends on vulnerable versions of inquirer
    node_modules/vorpal

I updated to the latest versions but latest fractal still has the old version of lodash with the volnrability

[OZZlE]

GHSA-x5rq-j2xg-h7qm

[OZZlE]

I would be so happy if this fix could be made supporting "@frctl/nunjucks": "^1.0.3", because we have hundreds of components and would take considerable time to redo them all for nunjucks v2

[janbrasna]

Known issue:

• Update lodash version #794
• Migrate away from vorpal #671

(Seems the only way around this before Vorpal is removed could be via https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides dep resolution overrides — however they are a bit tricky to set up properly in a complicated monorepo though.)