Security Vulnerability: lodash.isDate Dependency in @salesforce/design-system-react

[hkmadhusudhan]

Hi team,

We've identified a security vulnerability associated with the lodash.isDate package, which is still being used as a dependency in the latest version of @salesforce/design-system-react.

https://www.npmjs.com/package/lodash.isdate

The lodash.isDate package has not received any updates in over 9 years.
A security issue has been flagged in this library, raising concerns about its continued usage.
The latest release of @salesforce/design-system-react still includes this dependency.

Could you please confirm:

Whether any APIs or functions from lodash.isDate are actively used within the package?
If there are any plans to remove or replace this dependency with a more secure and actively maintained alternative?

Thanks for looking into this! Looking forward to hearing back from you.

[welcome]

Thanks for opening your first issue! 👋
If you have found this library helpful, please star it. A maintainer will try to respond within 7 days. If you haven’t heard anything by then, please bump this thread.