Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(core): Replace lodash's "soft-deprecated" individual packages with lodash to resolve CVE (no-changelog) #6450

Merged
merged 3 commits into from
Jun 16, 2023
Merged

refactor(core): Replace lodash's "soft-deprecated" individual packages with lodash to resolve CVE (no-changelog) #6450

merged 3 commits into from
Jun 16, 2023

Conversation

cjwooo
Copy link
Contributor

@cjwooo cjwooo commented Jun 16, 2023

The lodash.set package has an open CVE: https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032. The maintainer of Lodash will not release a patched version, and he considers the per-method packages soft-deprecated.

This pull requests replaces uses of the lodash.set package with the regular lodash package that contains all lodash commands.

I'd also recommend to replace all uses of the lodash.<command> packages with the regular lodash package, to make management of dependencies easier.

@cjwooo cjwooo changed the title Replace lodash.set with lodash Replace lodash.set with lodash to resolve CVE Jun 16, 2023
@n8n-assistant n8n-assistant bot added community Authored by a community member core Enhancement outside /nodes-base and /editor-ui node/improvement New feature or request labels Jun 16, 2023
@Joffcom Joffcom added the in linear Issue or PR has been created in Linear for internal review label Jun 16, 2023
@Joffcom
Copy link
Member

Joffcom commented Jun 16, 2023

Hey @cjwooo,

Thanks for the PR, I have added this to our internal tracker as ENG-81 so we can think about if we want to accept this PR or do something different.

@netroy netroy changed the title Replace lodash.set with lodash to resolve CVE refactor(core): Replace lodash's "soft-deprecated" individual packages with lodash to resolve CVE (no-changelog) Jun 16, 2023
netroy
netroy approved these changes Jun 16, 2023
View reviewed changes
Copy link
Member

@netroy netroy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the long term, we need to remove lodash from the codebase, as it's becoming increasingly stale. But, to address the mentioned CVE, I've updated the codebase to use the single lodash package, and remove all the individual lodash packages.

@codecov
Copy link

codecov bot commented Jun 16, 2023

Codecov Report

Patch coverage: 47.59% and project coverage change: -0.08 ⚠️

Comparison is base (16f707d) 28.44% compared to head (1683284) 28.37%.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #6450      +/-   ##
==========================================
- Coverage   28.44%   28.37%   -0.08%     
==========================================
  Files        2991     2991              
  Lines      185943   185943              
  Branches    20508    20506       -2     
==========================================
- Hits        52889    52758     -131     
- Misses     132260   132391     +131     
  Partials      794      794
Impacted Files Coverage Δ
packages/cli/src/ReloadNodesAndCredentials.ts 0.00% <0.00%> (ø)
packages/cli/src/commands/executeBatch.ts 0.00% <0.00%> (ø)
...ckages/cli/src/credentials/oauth2Credential.api.ts 0.00% <0.00%> (ø)
...nodes-base/nodes/ActionNetwork/GenericFunctions.ts 0.00% <0.00%> (ø)
...ackages/nodes-base/nodes/Asana/GenericFunctions.ts 0.00% <0.00%> (ø)
...ackages/nodes-base/nodes/Aws/AwsSnsTrigger.node.ts 0.00% <0.00%> (ø)
...e/nodes/Aws/CertificateManager/GenericFunctions.ts 0.00% <0.00%> (ø)
...kages/nodes-base/nodes/Aws/ELB/GenericFunctions.ts 0.00% <0.00%> (ø)
...kages/nodes-base/nodes/Aws/SES/GenericFunctions.ts 0.00% <0.00%> (ø)
...odes-base/nodes/Aws/Transcribe/GenericFunctions.ts 0.00% <0.00%> (ø)
... and 83 more

... and 4 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@netroy netroy merged commit 1111c91 into n8n-io:master Jun 16, 2023
MiloradFilipovic added a commit that referenced this pull request Jun 20, 2023
@MiloradFilipovic
Merge branch 'master' into sql-editor-support-expressions
f091c8a 
* master: (34 commits)
  feat(editor): Replace root events with event bus events (no-changelog) (#6454)
  feat(DebugHelper Node): Fix and include in main app (#6406)
  feat(Webhook Node): Stream binary response in `lastNode.firstEntryBinary` mode (#6463)
  fix(editor): Update git repo URL validation to prevent using https protocol (#6475)
  fix(editor): Remove tooltip about SMTP being required to invite user (no-changelog) (#6474)
  feat: Add support for large files with declarative nodes (#6461)
  fix(core): Fix the url sent in the password-reset emails (#6466)
  fix(HTML Node): Prevent XSS in execution-data preview (#6432)
  fix(Snowflake Node): Upgrade snowflake-sdk to address CVE-2023-34232 (no-changelog) (#6458)
  refactor(core): Replace lodash's "soft-deprecated" individual packages with `lodash` to resolve CVE (no-changelog) (#6450)
  fix(editor): Remove `$if`, `$min` and `$max` from code node autocomplete (#6460)
  fix(editor): Fix DNV header disappearing when scrolling the code editor content (#6459)
  feat: Remove vue-fragment (no-changelog) (#6456)
  ci: Prevent e2e failure on `commented` type review (no-changelog) (#6452)
  fix(LinkedIn Node): Remove unsupported description from image posts (#6446)
  fix(Split In Batches Node): Add "done" context to allow simple reset (#6437)
  feat(Gmail Node): Add reply to email (#6453)
  fix: Remove Vue.component usage and refactor plugins into Vue Plugins (no-changelog) (#6445)
  fix(editor): Show confirm on pull only when http response status is 409 (#6451)
  fix(editor): Update data pinning tooltip to match current behaviour (#6436)
  ...

# Conflicts:
#	packages/nodes-base/nodes/CompareDatasets/GenericFunctions.ts
#	packages/nodes-base/nodes/Merge/v2/GenericFunctions.ts
@janober
Copy link
Member

janober commented Jun 22, 2023

Got released with n8n@0.234.0

paulwer added a commit to paulwer/n8n that referenced this pull request Jun 29, 2023
@paulwer
n8n-io#6450 related
5e6121b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@netroy netroy netroy approved these changes

Assignees
No one assigned
Labels
community Authored by a community member core Enhancement outside /nodes-base and /editor-ui in linear Issue or PR has been created in Linear for internal review node/improvement New feature or request Released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cjwooo @Joffcom @janober @netroy