CVE-2021-23337 Command Injection in lodash

Question

CVE-2021-23337 Command Injection in lodash

Closed this issue 16 days ago · 3 comments

Preliminary Checks

This issue is not a duplicate. Before opening a new issue, please search existing issues: https://github.com/gatsbyjs/gatsby/issues
This issue is not a question, feature request, RFC, or anything other than a bug report directly related to Gatsby. Please post those things in GitHub Discussions: https://github.com/gatsbyjs/gatsby/discussions

Description

A dependency of gatsby-plugin-offline, namely workbox-build has a dependency called lodash.template that has a vulnerability reported: GHSA-35jh-r3h4-6jhm

I logged a bug with Google workbook to no avail: GoogleChrome/workbox#3322

Here is a discussion that explains why lodash cannot fix this: lodash/lodash#5851

What could be done to fix this in gatsby?

Reproduction Link

N/A

Steps to Reproduce

This is the result of a GitHub dependabot alert

Expected Result

clear dependabot alert list

Actual Result

dependabot alert

Environment

System:
    OS: macOS 14.5
    CPU: (12) arm64 Apple M2 Pro
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
    Yarn: 1.22.19 - ~/.yarn/bin/yarn
    npm: 9.6.2 - ~/.nvm/versions/node/v18.12.1/bin/npm
  Browsers:
    Chrome: 125.0.6422.142
    Edge: 125.0.2535.92
    Safari: 17.5
  npmGlobalPackages:
    gatsby-cli: 5.11.0

Config Flags

No response

Answer 1 · 2024-07-30T07:39:15.000Z

I have the same issue, gatsby-plugin-offline needs to update its workbox-build version

Answer 2 · 2024-11-20T19:20:10.000Z

Something I missed when I opened this: workbox-build has fixed this in GoogleChrome/workbox#2522 by going to lodash directly. Please kindly update to workbox-build v6 on gatsby-plugin-offline.

Answer 3 · 2024-12-17T09:23:20.000Z

Closing for #31542