GitHub reports a CVE because of lodash.pick in this plugin
halostatue opened this issue · 9 comments
See CVE-2020-8203, which comes from lodash.pick; the locked version used by this plugin is considered vulnerable.
This is not a direct impact on my project; we had vite-plugin-checker installed but were not using it, and our resolution was to remove the plugin. The likelihood of this being a real issue is also close to zero because of the context where vite-plugin-checker is run…but some of us are beholden to SOC2 or similar acronyms.
The use of per method packages (like lodash.pick) is now discouraged (see https://lodash.com/per-method-packages) and the recommended way is to upgrade the main lodash package.
@fi3ework can you please take a look on this?
Bump
we are using vite-plugin-checker and the lodash update is causing our build to fail with the following error:
Error [ERR_REQUIRE_ESM]: require() of ES Module /code/***/node_modules/lodash-es/lodash.js from /code/***/node_modules/vite-plugin-checker/dist/cjs/main.js not supported.
#44 6.460 Instead change the require of lodash.js in /code/***/node_modules/vite-plugin-checker/dist/cjs/main.js to a dynamic import() which is available in all CommonJS modules.
#44 6.460 at _require.extensions.<computed> [as .js] (file:///code/***/node_modules/vite/dist/node/chunks/dep-52909643.js:66353:17)
#44 6.460 at Object.<anonymous> (/code/***/node_modules/vite-plugin-checker/dist/cjs/main.js:36:24)
#44 6.460 at _require.extensions.<computed> [as .js] (file:///code/***/node_modules/vite/dist/node/chunks/dep-52909643.js:66353:17)
#44 6.500 error Command failed with exit code 1.
we are using vite-plugin-checker and the lodash update is causing our build to fail with the following error:
Error [ERR_REQUIRE_ESM]: require() of ES Module /code/***/node_modules/lodash-es/lodash.js from /code/***/node_modules/vite-plugin-checker/dist/cjs/main.js not supported. #44 6.460 Instead change the require of lodash.js in /code/***/node_modules/vite-plugin-checker/dist/cjs/main.js to a dynamic import() which is available in all CommonJS modules. #44 6.460 at _require.extensions.<computed> [as .js] (file:///code/***/node_modules/vite/dist/node/chunks/dep-52909643.js:66353:17) #44 6.460 at Object.<anonymous> (/code/***/node_modules/vite-plugin-checker/dist/cjs/main.js:36:24) #44 6.460 at _require.extensions.<computed> [as .js] (file:///code/***/node_modules/vite/dist/node/chunks/dep-52909643.js:66353:17) #44 6.500 error Command failed with exit code 1.
Same here
we are using vite-plugin-checker and the lodash update is causing our build to fail with the following error:
Error [ERR_REQUIRE_ESM]: require() of ES Module /code/***/node_modules/lodash-es/lodash.js from /code/***/node_modules/vite-plugin-checker/dist/cjs/main.js not supported. #44 6.460 Instead change the require of lodash.js in /code/***/node_modules/vite-plugin-checker/dist/cjs/main.js to a dynamic import() which is available in all CommonJS modules. #44 6.460 at _require.extensions.<computed> [as .js] (file:///code/***/node_modules/vite/dist/node/chunks/dep-52909643.js:66353:17) #44 6.460 at Object.<anonymous> (/code/***/node_modules/vite-plugin-checker/dist/cjs/main.js:36:24) #44 6.460 at _require.extensions.<computed> [as .js] (file:///code/***/node_modules/vite/dist/node/chunks/dep-52909643.js:66353:17) #44 6.500 error Command failed with exit code 1.
Same
I'm removing lodash from dependency and release a new version now.