chore: fix lodash vulnerability (#138)

antoine-coulon · Jan 30, 2024 · 4a3bd27 · 4a3bd27
1 parent 621c7b1
commit 4a3bd27
Show file tree

Hide file tree

Showing 11 changed files with 46 additions and 55 deletions.
diff --git a/.changeset/friendly-dots-beam.md b/.changeset/friendly-dots-beam.md
@@ -0,0 +1,7 @@
+---
+"fs-tree-structure": patch
+"skott": patch
+"skott-webapp": patch
+---
+
+Fixes high severity vulnerability in lodash.\* dependency by replacing it with lodash-es
diff --git a/apps/web/package.json b/apps/web/package.json
@@ -30,7 +30,7 @@
     "@mantine/form": "^7.0.0",
     "@mantine/hooks": "^6.0.16",
     "@tabler/icons-react": "^2.25.0",
-    "@types/lodash.isequal": "^4.5.6",
+    "@types/lodash-es": "^4.17.12",
     "@types/react": "^18.2.14",
     "@types/react-dom": "^18.2.6",
     "@typescript-eslint/eslint-plugin": "^5.61.0",
@@ -39,7 +39,7 @@
     "component-emitter": "^1.3.0",
     "fs-tree-structure": "workspace:*",
     "keycharm": "^0.2.0",
-    "lodash.isequal": "^4.5.0",
+    "lodash-es": "^4.17.21",
     "minimatch-browser-fork": "^1.0.0",
     "ninja-keys": "^1.2.2",
     "react": "^18.2.0",

diff --git a/apps/web/server.js b/apps/web/server.js
@@ -83,7 +83,7 @@ const skottGraphData = {
         "@effect/data",
         "@effect/io",
         "digraph-js",
-        "lodash.difference",
+        "lodash-es",
       ],
       builtinDependencies: ["node:path"],
     },
@@ -450,7 +450,7 @@ const skottGraphData = {
         "@effect/data",
         "@effect/io",
         "digraph-js",
-        "lodash.difference",
+        "lodash-es",
       ],
       builtinDependencies: ["node:path"],
     },

diff --git a/apps/web/src/network/Network.tsx b/apps/web/src/network/Network.tsx
@@ -3,7 +3,7 @@ import { Subscription, delay, distinctUntilChanged, map, tap } from "rxjs";
 
 import { DataSet } from "vis-data";
 import { Edge, Network, Node } from "vis-network";
-import isEqual from "lodash.isequal";
+import { isEqual } from "lodash-es";
 
 import { AppState, NetworkLayout } from "@/store/state";
 import { useAppStore } from "@/store/react-bindings";

diff --git a/packages/fs-tree-structure/index.ts b/packages/fs-tree-structure/index.ts
@@ -1,4 +1,4 @@
-import set from "lodash.set";
+import { set } from "lodash-es";
 
 export type TreeStructure = { [key: string]: TreeStructure };
 

diff --git a/packages/fs-tree-structure/package.json b/packages/fs-tree-structure/package.json
@@ -22,13 +22,13 @@
     "lint": "eslint ."
   },
   "dependencies": {
-    "lodash.set": "^4.3.2"
+    "lodash-es": "^4.17.21"
   },
   "devDependencies": {
     "@nodesecure/eslint-config": "^1.7.0",
     "@skottorg/config": "workspace:*",
     "@types/chai": "^4.3.5",
-    "@types/lodash.set": "^4.3.7",
+    "@types/lodash-es": "^4.17.12",
     "@types/mocha": "^9.1.1",
     "@types/node": "^16.18.36",
     "chai": "^4.3.7",

diff --git a/packages/skott/package.json b/packages/skott/package.json
@@ -57,7 +57,7 @@
     "is-wsl": "^3.0.0",
     "json5": "^2.2.3",
     "kleur": "^4.1.5",
-    "lodash.difference": "^4.5.0",
+    "lodash-es": "^4.17.21",
     "meriyah": "^4.3.7",
     "minimatch": "^9.0.3",
     "ora": "^6.3.1",
@@ -72,7 +72,7 @@
     "@skottorg/config": "workspace:*",
     "@types/compression": "^1.7.2",
     "@types/ignore-walk": "^4.0.0",
-    "@types/lodash.difference": "^4.5.7",
+    "@types/lodash-es": "^4.17.12",
     "@types/node": "^20.8.2",
     "@types/polka": "^0.5.4",
     "@typescript-eslint/eslint-plugin": "^6.7.4",

diff --git a/packages/skott/src/skott.ts b/packages/skott/src/skott.ts
@@ -5,7 +5,7 @@ import * as Option from "@effect/data/Option";
 import * as Effect from "@effect/io/Effect";
 import * as Exit from "@effect/io/Exit";
 import { DiGraph } from "digraph-js";
-import difference from "lodash.difference";
+import { difference } from "lodash-es";
 
 import {
   isFileAffected,

diff --git a/packages/skott/test/unit/ecmascript/graph.spec.ts b/packages/skott/test/unit/ecmascript/graph.spec.ts
@@ -263,7 +263,7 @@ describe("When building the project structure independently of JavaScript or Typ
                   import { parseScript } from 'meriyah';
                   import 'side-effect-library';
                   import { getStrategy } from "@nodesecure/vulnera";
-                  import difference from "lodash.difference";
+                  import { difference } from "lodash-es";
                   import _ from "next-plugin-preval/config";
                 `,
                   "lib.js": ""
@@ -278,7 +278,7 @@ describe("When building the project structure independently of JavaScript or Typ
                 "meriyah",
                 "side-effect-library",
                 "@nodesecure/vulnera",
-                "lodash.difference",
+                "lodash-es",
                 "next-plugin-preval"
               ]);
             });

diff --git a/packages/skott/test/unit/ecmascript/unused.spec.ts b/packages/skott/test/unit/ecmascript/unused.spec.ts
@@ -236,7 +236,7 @@ describe("Searching for unused dependencies", () => {
                 skott: "*",
                 rxjs: "*",
                 ramda: "*",
-                "lodash.difference": "*",
+                "lodash-es": "*",
                 "@effect-ts/core": "*",
                 ajv: "*",
                 "ajv-format": "*"
@@ -253,7 +253,7 @@ describe("Searching for unused dependencies", () => {
           expect(thirdParty).to.deep.equal([
             "skott",
             "ramda",
-            "lodash.difference",
+            "lodash-es",
             "ajv"
           ]);
         });

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml