Lodash security issue

Question

Lodash security issue

Opened this issue 5 years ago · 5 comments

Lodash dependency needs to be raised, see:

High:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.11                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-processhtml [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-processhtml > htmlprocessor > lodash                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/782                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-processhtml [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-processhtml > htmlprocessor > lodash                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Low:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-processhtml [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-processhtml > htmlprocessor > lodash                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/577                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Answer 1 · 2020-09-14T19:05:30.000Z

@dciccale Any chance we can get someone to accept #122...
Is this still supported? If not... a replacement recommended? Thanks.

Answer 2 · 2020-09-14T19:07:09.000Z

@dciccale Any chance we can get someone to accept #122...
Is this still supported? If not... a replacement recommended? Thanks.

@marcobiedermann ...

Answer 3 · 2020-09-15T08:49:20.000Z

@june07

I'm sorry but I am not a maintainer of this project and therefore can not approve the changes.
In general, the update looks good to me.

I guess @dciccale can help out

Answer 4 · 2020-09-16T07:45:12.000Z

#122 has been merged.

Answer 5 · 2021-07-11T12:39:23.000Z

A new vulnerability was patched with #124

  High            Command Injection
  Package         lodash
  Patched in      >=4.17.21
  Dependency of   grunt-processhtml [dev]
  Path            grunt-processhtml > htmlprocessor > lodash
  More info       https://npmjs.com/advisories/1673