[Dependency] lodash range ≥4.0.0 ≤4.17.22 flagged by audit (cloudinary → lodash)

[shapeshifta78]

Bug report for Cloudinary NPM SDK

Before proceeding, please update to latest version and test if the issue persists.

We are on cloudinary@2.9.0 (latest on npm). bun audit still flags lodash pulled in by this package.

---

Describe the bug in a sentence or two.

The Cloudinary NPM SDK declares a dependency on lodash (^4.17.21 in cloudinary@2.9.0). The resolved lodash version falls in the range reported as vulnerable by multiple GitHub Security Advisories (lodash >=4.0.0 <=4.17.22). Security scanners (e.g. bun audit / npm audit) therefore report high and moderate findings on installs that only add cloudinary as a direct dependency.

---

Issue Type (Can be multiple)

• Build - Can’t install or import the SDK
• Babel - Babel errors or cross browser issues
• Performance - Performance issues
• Behaviour - Functions aren’t working as expected (Such as generate URL)
• Documentation - Inconsistency between the docs and behaviour
• Incorrect Types - For typescript users who are having problems with our d.ts files
• Other (Specify): Transitive dependency vulnerability (lodash); audit reports CVEs/GHSAs after install

---

Steps to reproduce

1. Create a minimal project with "cloudinary": "^2.9.0" in package.json.
2. Run npm install or bun install.
3. Run bun audit (or npm audit).
4. Observe findings for lodash, dependency path cloudinary › lodash, vulnerable range >=4.0.0 <=4.17.22.

---

Error screenshots

bun audit output (excerpt):

Suggested fix

Bump the lodash dependency in cloudinary to a patched version outside the vulnerable range (e.g. per the linked GHSAs, typically > 4.17.22 / latest 4.x patch), and release a patch version of the SDK so consumers clear audits without overrides / resolutions.