Replace Lodash Per Method Packages with Main Lodash Package

Question

Replace Lodash Per Method Packages with Main Lodash Package

Opened this issue 2 months ago · 0 comments

I'm submitting a...

Bug report
Feature request
Documentation issue or request
Other... Please describe:

Expected Behavior

Resolve CVE-2020-8203 and replace lodash per method packages with main lodash package.

CVE-2020-8203 - Prototype Pollution in lodash
Description
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Current Behavior

Jovo 4.6.2 includes lodash.set which fails CVE-2020-8203 and there is no patched lodash per method package that resolves it. The best approach is to remove all lodash per method packages and instead use the patched lodash library 4.17.19 or above. This prepares Jovo for lodash v5 which will no longer support per method packages. See https://lodash.com/per-method-packages

The most recent version of lodash.set is 4.3.2 published 8 years ago.
Most recent version of lodash is 4.17.21 published 4 years ago.

Error Log

None

Your Environment

Jovo Framework version used: 4.6.2
Operating System: Windows 11 Pro