Our dependency-check has notified us that the version of [email protected] has a CRITICAL security vulnerability that should no longer be used and instead upgrade to a patched version of lodash.

From this report: GHSA-35jh-r3h4-6jhm

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

npm ls lodash tree (oc-template-react-compiler):

├─┬ [email protected]
...
│ ├── [email protected]
...

Proposed Solution

Bump the version of lodash to the patched version 4.17.21.

Optionally, can we use a minor semver ^4.17.21 to keep this up to date without a release?