[Snyk: Med] Prototype Pollution (Due 07/05/2020)

[fec-jli]

Summary

Medium severity vulnerability found
Description: Prototype Pollution
Info: https://app.snyk.io/vuln/SNYK-JS-LODASH-567746
Prototype Pollution is a vulnerability affecting JavaScript.

Remediation: There is no fixed version for lodash.

Completion criteria:

• Check to see if there's a remediation path for this
• [ ]Consider/document alternatives or workaround to solve this security issue and do that thing

[pkfec]

1. Tried updating lodash to v4.17.15 in package.json
2. deleted the package-lock.json from local : rm - rf package-lock.json
3. deleted the node_modules from local : rm - rf node_modules/
4. installed npm pkgs again : npm i and npm run build
5. from CLI ran : synk test
6. proto type pollution vulnerability STILL exists on fec-cms repo.

The latest version of lodash pkg still do not have the patch/remediation for Prototype Pollution yet. At this point there is nothing i can do and wait for the PATCH to be released here (https://app.snyk.io/vuln/SNYK-JS-LODASH-567746)

[pkfec]

Patch yet to be release for Lodash v4.17.15. Until then moving this ticket to blocked section.

[lbeaufort]

It looks like a fix was made but a release still needs to be pushed: https://github.com/lodash/lodash/issues/4837

[pkfec]

Notified security team that this issue is BLOCKED until the LODASH package is fixed in a later version.
See here: https://app.snyk.io/vuln/SNYK-JS-LODASH-567746

[lbeaufort]

Looks like a fix is ready: https://github.com/lodash/lodash/issues/4837#issuecomment-655648024

[pkfec]

Updated lodash pkg to the latest v4.17.19. And a PR #3890 is ready for review.