@tryghost/tpl uses deprecated lodash.template with unpatched CVE-2021-23337

## Summary

The `@tryghost/tpl` package depends on `lodash.template@^4.5.0`, which is deprecated and has an unpatched command injection vulnerability (CVE-2021-23337).

## Affected Package Chain

```
gscan
  → @tryghost/validator
    → @tryghost/tpl@0.1.35 (latest)
      → lodash.template@4.5.0 (deprecated, no fix available)
```

## Vulnerability Details

- **CVE:** [CVE-2021-23337](https://nvd.nist.gov/vuln/detail/CVE-2021-23337)
- **Severity:** High
- **Type:** Command Injection
- **Status:** No patched version of lodash.template exists

## Impact

Theme developers using `gscan` for validation receive Dependabot security alerts that cannot be resolved without upstream changes.

## Suggested Fix

Consider migrating `@tryghost/tpl` to use an actively maintained templating library such as:
- [template-literal](https://www.npmjs.com/package/template-literal)
- Native ES6 template literals with a simple wrapper
- [handlebars](https://www.npmjs.com/package/handlebars) (already in Ghost ecosystem)

## Workaround

Currently dismissing as "tolerable risk" since:
- Only affects development dependencies
- Template input is controlled (theme files, not user input)

## Environment

- gscan: 5.2.1
- @tryghost/validator: 0.2.17
- @tryghost/tpl: 0.1.35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

@tryghost/tpl uses deprecated lodash.template with unpatched CVE-2021-23337 #730

Summary

Affected Package Chain

Vulnerability Details

Impact

Suggested Fix

Workaround

Environment

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

@tryghost/tpl uses deprecated lodash.template with unpatched CVE-2021-23337 #730

Description

Summary

Affected Package Chain

Vulnerability Details

Impact

Suggested Fix

Workaround

Environment

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions