lodash.pick vulnerability causes npm audit failure

[patricker]

When I run npm audit with the latest 5.1.0 version of the library (and earlier versions as well, I just verified it happened in the latest version), I receive this error from npm audit.

Obviously going back to dd-trace 0.6.0 is not a real option :D

% npm audit
# npm audit report

lodash.pick  >=4.0.0
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install dd-trace@0.6.0, which is a breaking change
node_modules/lodash.pick
  dd-trace  >=0.6.1-beta.0
  Depends on vulnerable versions of lodash.pick
  node_modules/dd-trace

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[ruettenm]

Hi, we also received an error because of this. I had a look and I found out that you have dependencies to some "copies" of lodash:

• lodash.kebabcase: ^4.1.1
• lodash.pick: ^4.4.0
• lodash.sortby: ^4.7.0
• lodash.uniq: ^4.5.0

They are all not maintained since many years. To it's not possible to update the transient dependencies for dd-trace because there is no update for "lodash.pick".

It is also not recommended to use them:
https://lodash.com/per-method-packages

Please update to the "real" lodash

└─ lodash.pick: 4.4.0
   ├─ ID: 1096292
   ├─ Issue: Prototype Pollution in lodash
   ├─ URL: https://github.com/advisories/GHSA-p6mc-m468-83gw
   ├─ Severity: high
   ├─ Vulnerable Versions: >=3.7.0 <4.17.19
   ├─ Patched Versions: >=4.17.19

[simon-id]

Fixed by: #3999

[simon-id]

Patch released in versions: 5.2.0 / 4.26.0 / 3.47.0
Thank you for reporting the issue!

[patricker]

Thanks @simon-id for the rapid fix!!