Hi CodeceptJS team, after upgrading to CodeceptJS 3.7.5, we're encountering critical security vulnerability alerts from BlackDuck and other enterprise security scanners due to the lodash.shuffle@4.2.0 dependency introduced in v3.7.4. The scanners are flagging multiple high-severity vulnerabilities (7 High, 4 Medium, 1 Low) because they incorrectly apply full lodash@4.2.0 vulnerabilities to this micro-package that blocking our enterprise deployments and CI/CD pipelines. Since lodash.shuffle is used in only one location https://github.com/codeceptjs/CodeceptJS/blob/3.x/lib/codecept.js#L189 within CodeceptJS and the lodash ecosystem is no longer actively maintained with known security concerns, could you please consider replacing it with a native Fisher-Yates shuffle implementation? This would eliminate the security scanner issues entirely while maintaining the same functionality. I can provide a simple native implementation if helpful - this change would significantly benefit enterprise users who rely on automated security scanning for compliance requirements.
Hi CodeceptJS team, after upgrading to CodeceptJS 3.7.5, we're encountering critical security vulnerability alerts from BlackDuck and other enterprise security scanners due to the lodash.shuffle@4.2.0 dependency introduced in v3.7.4. The scanners are flagging multiple high-severity vulnerabilities (7 High, 4 Medium, 1 Low) because they incorrectly apply full lodash@4.2.0 vulnerabilities to this micro-package that blocking our enterprise deployments and CI/CD pipelines. Since lodash.shuffle is used in only one location https://github.com/codeceptjs/CodeceptJS/blob/3.x/lib/codecept.js#L189 within CodeceptJS and the lodash ecosystem is no longer actively maintained with known security concerns, could you please consider replacing it with a native Fisher-Yates shuffle implementation? This would eliminate the security scanner issues entirely while maintaining the same functionality. I can provide a simple native implementation if helpful - this change would significantly benefit enterprise users who rely on automated security scanning for compliance requirements.