From 4a3bd277c0b9fabcd9e028ecb0c76cdddb957f4e Mon Sep 17 00:00:00 2001 From: Pedro Lamas Date: Tue, 30 Jan 2024 18:03:41 +0000 Subject: [PATCH] chore: fix lodash vulnerability (#138) --- .changeset/friendly-dots-beam.md | 7 ++ apps/web/package.json | 4 +- apps/web/server.js | 4 +- apps/web/src/network/Network.tsx | 2 +- packages/fs-tree-structure/index.ts | 2 +- packages/fs-tree-structure/package.json | 4 +- packages/skott/package.json | 4 +- packages/skott/src/skott.ts | 2 +- .../skott/test/unit/ecmascript/graph.spec.ts | 4 +- .../skott/test/unit/ecmascript/unused.spec.ts | 4 +- pnpm-lock.yaml | 64 +++++++------------ 11 files changed, 46 insertions(+), 55 deletions(-) create mode 100644 .changeset/friendly-dots-beam.md diff --git a/.changeset/friendly-dots-beam.md b/.changeset/friendly-dots-beam.md new file mode 100644 index 000000000..7ce0833a9 --- /dev/null +++ b/.changeset/friendly-dots-beam.md @@ -0,0 +1,7 @@ +--- +"fs-tree-structure": patch +"skott": patch +"skott-webapp": patch +--- + +Fixes high severity vulnerability in lodash.\* dependency by replacing it with lodash-es diff --git a/apps/web/package.json b/apps/web/package.json index 960139a20..8fffb09e1 100644 --- a/apps/web/package.json +++ b/apps/web/package.json @@ -30,7 +30,7 @@ "@mantine/form": "^7.0.0", "@mantine/hooks": "^6.0.16", "@tabler/icons-react": "^2.25.0", - "@types/lodash.isequal": "^4.5.6", + "@types/lodash-es": "^4.17.12", "@types/react": "^18.2.14", "@types/react-dom": "^18.2.6", "@typescript-eslint/eslint-plugin": "^5.61.0", @@ -39,7 +39,7 @@ "component-emitter": "^1.3.0", "fs-tree-structure": "workspace:*", "keycharm": "^0.2.0", - "lodash.isequal": "^4.5.0", + "lodash-es": "^4.17.21", "minimatch-browser-fork": "^1.0.0", "ninja-keys": "^1.2.2", "react": "^18.2.0", diff --git a/apps/web/server.js b/apps/web/server.js index be0286785..0a89970ac 100644 --- a/apps/web/server.js +++ b/apps/web/server.js @@ -83,7 +83,7 @@ const skottGraphData = { "@effect/data", "@effect/io", "digraph-js", - "lodash.difference", + "lodash-es", ], builtinDependencies: ["node:path"], }, @@ -450,7 +450,7 @@ const skottGraphData = { "@effect/data", "@effect/io", "digraph-js", - "lodash.difference", + "lodash-es", ], builtinDependencies: ["node:path"], }, diff --git a/apps/web/src/network/Network.tsx b/apps/web/src/network/Network.tsx index f56e51fda..7f6faf370 100644 --- a/apps/web/src/network/Network.tsx +++ b/apps/web/src/network/Network.tsx @@ -3,7 +3,7 @@ import { Subscription, delay, distinctUntilChanged, map, tap } from "rxjs"; import { DataSet } from "vis-data"; import { Edge, Network, Node } from "vis-network"; -import isEqual from "lodash.isequal"; +import { isEqual } from "lodash-es"; import { AppState, NetworkLayout } from "@/store/state"; import { useAppStore } from "@/store/react-bindings"; diff --git a/packages/fs-tree-structure/index.ts b/packages/fs-tree-structure/index.ts index b2be7831f..479c7384e 100644 --- a/packages/fs-tree-structure/index.ts +++ b/packages/fs-tree-structure/index.ts @@ -1,4 +1,4 @@ -import set from "lodash.set"; +import { set } from "lodash-es"; export type TreeStructure = { [key: string]: TreeStructure }; diff --git a/packages/fs-tree-structure/package.json b/packages/fs-tree-structure/package.json index 0c1329495..a3d71bc6e 100644 --- a/packages/fs-tree-structure/package.json +++ b/packages/fs-tree-structure/package.json @@ -22,13 +22,13 @@ "lint": "eslint ." }, "dependencies": { - "lodash.set": "^4.3.2" + "lodash-es": "^4.17.21" }, "devDependencies": { "@nodesecure/eslint-config": "^1.7.0", "@skottorg/config": "workspace:*", "@types/chai": "^4.3.5", - "@types/lodash.set": "^4.3.7", + "@types/lodash-es": "^4.17.12", "@types/mocha": "^9.1.1", "@types/node": "^16.18.36", "chai": "^4.3.7", diff --git a/packages/skott/package.json b/packages/skott/package.json index d9b42087d..18e277f26 100644 --- a/packages/skott/package.json +++ b/packages/skott/package.json @@ -57,7 +57,7 @@ "is-wsl": "^3.0.0", "json5": "^2.2.3", "kleur": "^4.1.5", - "lodash.difference": "^4.5.0", + "lodash-es": "^4.17.21", "meriyah": "^4.3.7", "minimatch": "^9.0.3", "ora": "^6.3.1", @@ -72,7 +72,7 @@ "@skottorg/config": "workspace:*", "@types/compression": "^1.7.2", "@types/ignore-walk": "^4.0.0", - "@types/lodash.difference": "^4.5.7", + "@types/lodash-es": "^4.17.12", "@types/node": "^20.8.2", "@types/polka": "^0.5.4", "@typescript-eslint/eslint-plugin": "^6.7.4", diff --git a/packages/skott/src/skott.ts b/packages/skott/src/skott.ts index a5bb3d8cc..302d4239e 100644 --- a/packages/skott/src/skott.ts +++ b/packages/skott/src/skott.ts @@ -5,7 +5,7 @@ import * as Option from "@effect/data/Option"; import * as Effect from "@effect/io/Effect"; import * as Exit from "@effect/io/Exit"; import { DiGraph } from "digraph-js"; -import difference from "lodash.difference"; +import { difference } from "lodash-es"; import { isFileAffected, diff --git a/packages/skott/test/unit/ecmascript/graph.spec.ts b/packages/skott/test/unit/ecmascript/graph.spec.ts index d60ff9886..05ab75d92 100644 --- a/packages/skott/test/unit/ecmascript/graph.spec.ts +++ b/packages/skott/test/unit/ecmascript/graph.spec.ts @@ -263,7 +263,7 @@ describe("When building the project structure independently of JavaScript or Typ import { parseScript } from 'meriyah'; import 'side-effect-library'; import { getStrategy } from "@nodesecure/vulnera"; - import difference from "lodash.difference"; + import { difference } from "lodash-es"; import _ from "next-plugin-preval/config"; `, "lib.js": "" @@ -278,7 +278,7 @@ describe("When building the project structure independently of JavaScript or Typ "meriyah", "side-effect-library", "@nodesecure/vulnera", - "lodash.difference", + "lodash-es", "next-plugin-preval" ]); }); diff --git a/packages/skott/test/unit/ecmascript/unused.spec.ts b/packages/skott/test/unit/ecmascript/unused.spec.ts index 0c888f08d..70674517b 100644 --- a/packages/skott/test/unit/ecmascript/unused.spec.ts +++ b/packages/skott/test/unit/ecmascript/unused.spec.ts @@ -236,7 +236,7 @@ describe("Searching for unused dependencies", () => { skott: "*", rxjs: "*", ramda: "*", - "lodash.difference": "*", + "lodash-es": "*", "@effect-ts/core": "*", ajv: "*", "ajv-format": "*" @@ -253,7 +253,7 @@ describe("Searching for unused dependencies", () => { expect(thirdParty).to.deep.equal([ "skott", "ramda", - "lodash.difference", + "lodash-es", "ajv" ]); }); diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 756ae0be5..3e1ec55ac 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -38,9 +38,9 @@ importers: '@tabler/icons-react': specifier: ^2.25.0 version: 2.25.0(react@18.2.0) - '@types/lodash.isequal': - specifier: ^4.5.6 - version: 4.5.6 + '@types/lodash-es': + specifier: ^4.17.12 + version: 4.17.12 '@types/react': specifier: ^18.2.14 version: 18.2.14 @@ -65,9 +65,9 @@ importers: keycharm: specifier: ^0.2.0 version: 0.2.0 - lodash.isequal: - specifier: ^4.5.0 - version: 4.5.0 + lodash-es: + specifier: ^4.17.21 + version: 4.17.21 minimatch-browser-fork: specifier: ^1.0.0 version: 1.0.0 @@ -149,9 +149,9 @@ importers: packages/fs-tree-structure: dependencies: - lodash.set: - specifier: ^4.3.2 - version: 4.3.2 + lodash-es: + specifier: ^4.17.21 + version: 4.17.21 devDependencies: '@nodesecure/eslint-config': specifier: ^1.7.0 @@ -162,9 +162,9 @@ importers: '@types/chai': specifier: ^4.3.5 version: 4.3.5 - '@types/lodash.set': - specifier: ^4.3.7 - version: 4.3.7 + '@types/lodash-es': + specifier: ^4.17.12 + version: 4.17.12 '@types/mocha': specifier: ^9.1.1 version: 9.1.1 @@ -322,9 +322,9 @@ importers: kleur: specifier: ^4.1.5 version: 4.1.5 - lodash.difference: - specifier: ^4.5.0 - version: 4.5.0 + lodash-es: + specifier: ^4.17.21 + version: 4.17.21 meriyah: specifier: ^4.3.7 version: 4.3.7 @@ -362,9 +362,9 @@ importers: '@types/ignore-walk': specifier: ^4.0.0 version: 4.0.0 - '@types/lodash.difference': - specifier: ^4.5.7 - version: 4.5.7 + '@types/lodash-es': + specifier: ^4.17.12 + version: 4.17.12 '@types/node': specifier: ^20.8.2 version: 20.8.2 @@ -1955,20 +1955,8 @@ packages: resolution: {integrity: sha512-dRLjCWHYg4oaA77cxO64oO+7JwCwnIzkZPdrrC71jQmQtlhM556pwKo5bUzqvZndkVbeFLIIi+9TC40JNF5hNQ==} dev: true - /@types/lodash.difference@4.5.7: - resolution: {integrity: sha512-L7r80ymosy9HiqndKY9XfWeneRwOqAramdAL184pQhlS5PB+J3sKnpgUCBh7r9E6Rsdf4D4bty7t7HEC5Jny1Q==} - dependencies: - '@types/lodash': 4.14.182 - dev: true - - /@types/lodash.isequal@4.5.6: - resolution: {integrity: sha512-Ww4UGSe3DmtvLLJm2F16hDwEQSv7U0Rr8SujLUA2wHI2D2dm8kPu6Et+/y303LfjTIwSBKXB/YTUcAKpem/XEg==} - dependencies: - '@types/lodash': 4.14.182 - dev: true - - /@types/lodash.set@4.3.7: - resolution: {integrity: sha512-bS5Wkg/nrT82YUfkNYPSccFrNZRL+irl7Yt4iM6OTSQ0VZJED2oUIVm15NkNtUAQ8SRhCe+axqERUV6MJgkeEg==} + /@types/lodash-es@4.17.12: + resolution: {integrity: sha512-0NgftHUcV4v34VhXm8QBSftKVXtbkBG3ViCjs6+eJ5a6y6Mi/jiFGPc1sC7QK+9BFhWrURE3EOggmWaSxL9OzQ==} dependencies: '@types/lodash': 4.14.182 dev: true @@ -3149,7 +3137,7 @@ packages: dev: false /concat-map@0.0.1: - resolution: {integrity: sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=} + resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} /convert-source-map@1.8.0: resolution: {integrity: sha512-+OQdjP49zViI/6i7nIJpA8rAl4sV/JdPfU9nZs3VqOwGIgizICvuN2ru6fMd+4llL0tar18UYJXfZ/TWtmhUjA==} @@ -5041,21 +5029,17 @@ packages: p-locate: 5.0.0 dev: true - /lodash.difference@4.5.0: - resolution: {integrity: sha512-dS2j+W26TQ7taQBGN8Lbbq04ssV3emRw4NY58WErlTO29pIqS0HmoT5aJ9+TUQ1N3G+JOZSji4eugsWwGp9yPA==} - dev: false + /lodash-es@4.17.21: + resolution: {integrity: sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==} /lodash.isequal@4.5.0: resolution: {integrity: sha512-pDo3lu8Jhfjqls6GkMgpahsF9kCyayhgykjyLMNFTKWrpVdAQtYyB4muAMWozBB4ig/dtWAmsMxLEI8wuz+DYQ==} + dev: false /lodash.merge@4.6.2: resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==} dev: true - /lodash.set@4.3.2: - resolution: {integrity: sha512-4hNPN5jlm/N/HLMCO43v8BXKq9Z7QdAGc/VGrRD61w8gN9g/6jF9A4L1pbUgBLCffi0w9VsXfTOij5x8iTyFvg==} - dev: false - /lodash.startcase@4.4.0: resolution: {integrity: sha512-+WKqsK294HMSc2jEbNgpHpd0JfIBhp7rEV4aqXWqFr6AlXov+SlcgB1Fv01y2kGe3Gc8nMW7VA0SrGuSkRfIEg==} dev: true