Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: prototype pollution in _.defaultsDeep #4336

Merged
merged 1 commit into from Jun 24, 2019

Conversation

10 participants
@Kirill89
Copy link

commented Jun 19, 2019

The PR is fixing a Prototype Pollution vulnerability in _.defaultsDeep.

You can see details about similar vulnerability here: https://snyk.io/vuln/SNYK-JS-LODASH-73638

@jsf-clabot

This comment has been minimized.

Copy link

commented Jun 19, 2019

CLA assistant check
All committers have signed the CLA.

@Kirill89

This comment has been minimized.

Copy link
Author

commented Jun 19, 2019

@jdalton jdalton added the bug label Jun 24, 2019

@jdalton jdalton merged commit 1f8ea07 into lodash:4.17.12-pre Jun 24, 2019

1 check passed

licence/cla Contributor License Agreement is signed.
Details
@jdalton

This comment has been minimized.

Copy link
Member

commented Jun 24, 2019

Thank you @Kirill89!

@KrayzeeKev

This comment has been minimized.

Copy link

commented Jul 2, 2019

What is the expectation on this version being released? The bug is preventing a production deployment for our product and putting a specific commit or a -pre version into production just messes with ongoing regular updating.

@MRhyne1931

This comment has been minimized.

Copy link

commented Jul 8, 2019

Would like to echo @KrayzeeKev. Experiencing something similar and would like to understand when the official version will be released? Thanks.

@luke-perry

This comment has been minimized.

Copy link

commented Jul 9, 2019

Also, preventing a production push for us. Again trying to understand when a release will be published?

@falsyvalues

This comment has been minimized.

Copy link
Member

commented Jul 10, 2019

Lodash v4.17.13 was released yesterday.

@jagij

This comment has been minimized.

Copy link

commented Jul 10, 2019

I don't want to undermine Snyk's business model, but what is the procedure to flag the issue on v4.17.11 with npm audit?

@ChristianMurphy

This comment has been minimized.

Copy link

commented Jul 10, 2019

Kocisov added a commit to Kocisov/clai that referenced this pull request Jul 10, 2019

mearns added a commit to mearns/tracking-promise that referenced this pull request Jul 11, 2019

dshoreman added a commit to dshoreman/servidor that referenced this pull request Jul 11, 2019

🚨 [security] Update lodash: 4.17.11 → 4.17.14 (patch) (#82)
🚨 [security] Update lodash: 4.17.11 → 4.17.14 (patch)

Advisory: CVE-2019-10744
Disclosed: July 10, 2019
URL: lodash/lodash#4336

@Mike-Tran Mike-Tran referenced this pull request Jul 11, 2019

Merged

Fix lodash vulnerability #6

adamansky added a commit to Softmotions/ejdb that referenced this pull request Jul 11, 2019

blundin added a commit to blundin/brianlundin.com that referenced this pull request Jul 11, 2019

emizzle added a commit to emizzle/vue-cli that referenced this pull request Jul 11, 2019

fix(@vue/cli-service): Update lodash.defaultsdeep
Update `lodash.defaultsdeep` to version `^4.6.1`.

This is causing a high severity vulnerability in our repo.

Fixed in lodash/lodash#4336.

johncowen added a commit to hashicorp/consul that referenced this pull request Jul 15, 2019

johncowen added a commit to hashicorp/consul that referenced this pull request Jul 15, 2019

johncowen added a commit to hashicorp/consul that referenced this pull request Jul 15, 2019

pull bot pushed a commit to db-apps/vue that referenced this pull request Jul 15, 2019

nicktate added a commit to nicktate/kubernetes.client that referenced this pull request Jul 15, 2019

mikestoltz added a commit to containership/kubernetes.client that referenced this pull request Jul 15, 2019

armenzg added a commit to mozilla-frontend-infra/firefox-performance-dashboard that referenced this pull request Jul 15, 2019

hartsick added a commit to codeforamerica/cfa-styleguide-gem that referenced this pull request Jul 15, 2019

hartsick added a commit to codeforamerica/cfa-styleguide-gem that referenced this pull request Jul 15, 2019

kengogo added a commit to indiegogo/vue-sfc-analyzer-webpack-plugin that referenced this pull request Jul 15, 2019

kengogo added a commit to indiegogo/vuex-module-validatable-state that referenced this pull request Jul 15, 2019

leothekim added a commit to trialspark/enzyme-context that referenced this pull request Jul 15, 2019

Update lodash.merge to 4.6.2 (#27)
To address a security vulnerability:
lodash/lodash#4336

andrew-jung added a commit to sdelements/material-ui that referenced this pull request Jul 15, 2019

Update package.json
Update lodash.merge to ^4.6.2 (from ^4.6.0)

lodash/lodash#4348
lodash/lodash#4336

@andrew-jung andrew-jung referenced this pull request Jul 15, 2019

Closed

Update package.json #5

erikeckhardt added a commit to erikeckhardt/grsportaluipoc that referenced this pull request Jul 15, 2019

ricmoo added a commit to ethers-io/ethers.js that referenced this pull request Jul 15, 2019

Updated package-lock for lodash security advisory; the package is onl…
…y a development dependency, so no urgent need to publish, just for developers (lodash/lodash#4336).

ricmoo added a commit to ricmoo/Takoyaki that referenced this pull request Jul 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.