Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

High severity vulnerability in 4.17.11 #4348

Closed
ceastman-ibm opened this issue Jul 2, 2019 · 21 comments

Comments

@ceastman-ibm
Copy link

commented Jul 2, 2019

snyk test lodash@4.17.11

Testing lodash@4.17.11...

✗ High severity vulnerability found in lodash
Description: Prototype Pollution
Info: https://snyk.io/vuln/SNYK-JS-LODASH-450202
Introduced through: lodash@4.17.11
From: lodash@4.17.11

Package manager: npm
Open source: yes
Project path: lodash@4.17.11

Tested lodash@4.17.11 for known vulnerabilities, found 1 vulnerability, 1 vulnerable path.

@jdalton

This comment has been minimized.

Copy link
Member

commented Jul 2, 2019

Hi @ceastman-ibm!

Thanks! Yes I worked with synk on the patches (here and here). I'll be releasing updates this week to cover them.

@jdalton jdalton added the question label Jul 2, 2019

@ceastman-ibm

This comment has been minimized.

Copy link
Author

commented Jul 2, 2019

@jdalton thank you for your prompt response.

@everett1992

This comment was marked as resolved.

Copy link

commented Jul 5, 2019

Is there anyway that I can help to get this released today?

@luke-perry

This comment was marked as resolved.

Copy link

commented Jul 9, 2019

Any updates on when a release will be published?

@jdalton

This comment has been minimized.

Copy link
Member

commented Jul 9, 2019

Thanks for the offers to help. Sorry for the delay. I'm reviewing the state of things and publishing. I'll close this when published (to the main package and update the thread with publish statuses for the individual method packages).

@MRhyne1931

This comment has been minimized.

Copy link

commented Jul 9, 2019

Thank you for the update. Does this mean you are planning to publish soon and if so do you have any idea on an ETA? Today, this week, etc?

@jdalton

This comment has been minimized.

Copy link
Member

commented Jul 9, 2019

Within the hour for the primary lodash package. The individual method packages will trickle in the rest of today.

Update:

Looks like I'm running up against a lunch. I've learned not to publish and then go to lunch so publishing will be held until after lunch.

Update:

lodash@4.17.12 lodash@4.17.13 has been published 🎉

@kunalnagar

This comment has been minimized.

Copy link

commented Jul 9, 2019

@jdalton Snyk still complains about the vulnerability in 4.17.12 here. Any idea why that might be?

@jdalton

This comment has been minimized.

Copy link
Member

commented Jul 9, 2019

@kunalnagar

They aren't 🤖.
It requires a human on their team to validate and update their db 🙃

Update:

I've pinged Snyk to let them know I've updated lodash, lodash-es, and lodash-amd packages.

@everett1992

This comment has been minimized.

Copy link

commented Jul 9, 2019

@kunalnagar Run their PoC script, 4.17.12 and 4.17.13 pass.

@jdalton

This comment has been minimized.

Copy link
Member

commented Jul 10, 2019

Updated lodash.merge, lodash.mergewith, and lodash.defaultsdeep.

marcdumais-work added a commit to eclipse-theia/theia that referenced this issue Jul 15, 2019
[security] Bump lodash.mergewith from 4.6.1 to 4.6.2
see: lodash/lodash#4348

Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
andrew-jung added a commit to sdelements/material-ui that referenced this issue Jul 15, 2019
Update package.json
Update lodash.merge to ^4.6.2 (from ^4.6.0)

lodash/lodash#4348
lodash/lodash#4336
quetzaluz added a commit to quetzaluz/eslint that referenced this issue Jul 15, 2019
quetzaluz added a commit to quetzaluz/eslint that referenced this issue Jul 15, 2019
quetzaluz added a commit to quetzaluz/eslint that referenced this issue Jul 15, 2019
mbautin pushed a commit to mbautin/yugabyte-db that referenced this issue Jul 16, 2019
Fix security vulnerability in lodash package and one of its dependenc…
…ies.

Summary: Fix security vulnerability by updating lodash package. More details can be found here: lodash/lodash#4348

Test Plan: Try running a fresh install of `npm clean-install` and notice the version of the lodash package.

Reviewers: ram, vit.pankin, bogdan

Reviewed By: bogdan

Subscribers: jenkins-bot, kannan, karthik, ui

Differential Revision: https://phabricator.dev.yugabyte.com/D6881
@m-deacon m-deacon referenced this issue Jul 16, 2019
4 of 6 tasks complete
aladdin-add added a commit to eslint/eslint that referenced this issue Jul 16, 2019
dooart added a commit to dooart/github-backlog-toolkit that referenced this issue Jul 16, 2019
dooart added a commit to dooart/teamweek-bamboo that referenced this issue Jul 16, 2019
dooart added a commit to dooart/blindfolder that referenced this issue Jul 16, 2019
dooart added a commit to dooart/react-todo that referenced this issue Jul 16, 2019
dooart added a commit to dooart/react-todo-walkthrough that referenced this issue Jul 16, 2019
dooart added a commit to dooart/react-spreadsheet that referenced this issue Jul 16, 2019

@lodash lodash deleted a comment from alasdairhurst Jul 17, 2019

@lodash lodash locked as resolved and limited conversation to collaborators Jul 17, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
9 participants
You can’t perform that action at this time.