Vulnerability in storybookjs / storybook with lodash 4.17.20

[leakhand]

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

What is expected?
Update lodash to 4.17.21

What is actually happening?
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. WhiteSource Note: After conducting further research, WhiteSource has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

[shilman]

Huzzah!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.4.5 containing PR #16883 that references this issue. Upgrade today to the @latest NPM tag to try it out!

npx sb upgrade

Closing this issue. Please re-open if you think there's still more to do.

[shilman]

Yowza!! I just released https://github.com/storybookjs/storybook/releases/tag/v6.5.0-alpha.2 containing PR #16883 that references this issue. Upgrade today to the @next NPM tag to try it out!

npx sb upgrade --prerelease