Lerna uses version of dot-prop@4.2.0 which does not include recent security fix

[VancheeZze]

Expected Behavior

Lerna has some packages that depend on the outdated version of the dot-prop package which does not include recent security fix.

For example:

lerna > @lerna/run > @lerna/command > @lerna/project > dot-prop
lerna > @lerna/run > @lerna/version > @lerna/project > dot-prop
lerna > @lerna/run > @lerna/publish > @lerna/project > dot-prop
...

Result of the npm ls dot-prop:

└─┬ lerna@3.22.1
  ├─┬ @lerna/add@3.21.0
  │ └─┬ @lerna/command@3.21.0
  │   └─┬ @lerna/project@3.21.0
  │     └── dot-prop@4.2.0 

More info about vulnerabilities introduced here: https://npmjs.com/advisories/1213

Current Behavior

After running npm audit, results include vulnerabilities related to the outdated dot-prop package which is a dependency of Lerna.

Possible Solution

Update dot-prop package to at least >=5.1.1 - or the latest.

Steps to Reproduce (for bugs)

1. Run npm audit in the project root where lerna is installed.

[eps1lon]

dot-prop@5.x requires node 8: https://github.com/sindresorhus/dot-prop/releases/tag/v5.0.0. Since @lerna/project supports node >= 6.9 this might be problematic.

[roboswank]

As best I can tell, since dot-props does not have a CHANGELOG, there appear to be no breaking changes between v4 and v5. So, until this gets worked out you can just add this to your project's package.json and the audit succeeds:

  "resolutions": {
    "dot-prop": "5.2.0"
  }

edit: the release section says as much - aside from the node version - no breaking changes.
edit: see comment below about npm specific npm-force-resolutions to use this (if not using yarn)

[jimmyandrade]

@roboswank I'll try this. Thank you.

[roboswank]

@jimmyandrade Just edited my comment above, as I do believe that this is a yarn specific prop. For npm it looks like you can use something like npm-force-resolutions.

[jimmyandrade]

Yes, I am using npm. Thank you for complementing your comment and sharing the resolution for npm. I'll try and check if it works.

[kyoto]

dot-prop v4.2.1 has now also been released with this security fix: https://github.com/sindresorhus/dot-prop/releases/tag/v4.2.1

[saulonunesdev]

thanks for the solution @roboswank works for me

[JamesHenry]

Hi Folks 👋

You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details).

Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves.

We hope you will continue to be a part of this community as we look to take things forward from here!

Please see #3140 for more details on our plans for 2022.

In the case of this specific issue, it looks like the dot-prop dependency was upgraded sometime ago and so this can be closed.

If you run into any issues on the latest version of lerna, please feel free to open a new issue and follow the instructions:
https://github.com/lerna/lerna/issues/new/choose

Many thanks 🙏