Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency lodash.set has Prototype Pollution vulnerability #303

Closed
MayGo opened this issue Aug 25, 2022 · 6 comments · Fixed by #315
Closed

Dependency lodash.set has Prototype Pollution vulnerability #303

MayGo opened this issue Aug 25, 2022 · 6 comments · Fixed by #315
Labels
help wanted

Comments

@MayGo
Copy link

MayGo commented Aug 25, 2022

https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032

I advise replacing that dependency.
@danpaz
Copy link
Owner

danpaz commented Aug 26, 2022

There is no fixed version for lodash.set.

We use lodash.set in several places in the code. Do you have any suggested alternatives by chance?

@MayGo
Copy link
Author

MayGo commented Aug 26, 2022

I just learned about https://www.npmjs.com/package/wild-wild-path, perhaps this has too much functionality.
Or lodash itself and depend on tree shaking to only package used functions.

staxie pushed a commit to staxie/bodybuilder that referenced this issue Feb 27, 2023
chore: replaced lodash function packages danpaz#303
36fc4e1
@staxie
Copy link

staxie commented Feb 27, 2023

Hi. I opened a pull request for this matter. Please consider checking it out. It's a simple change.
#309

@StefOodle StefOodle mentioned this issue Jun 28, 2023
Merged
@StefOodle
Copy link
Contributor

Hello, I also opened a pull request for this issue. #315 . It would be great if you could have a look.

@remyoudemans
Copy link

Thanks for solving this @StefOodle. Could we get a version with the fix published onto npm please @danpaz?

@danpaz
Copy link
Owner

danpaz commented Jul 19, 2023

Yes just published as 2.5.1. This reminded me publishing from Travis CI is still broken #297 😞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: replace lodash.set with custom util StefOodle/bodybuilder
5 participants
@MayGo @danpaz @remyoudemans @staxie @StefOodle