-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(core): Replace lodash's "soft-deprecated" individual packages with lodash
to resolve CVE (no-changelog)
#6450
Conversation
Hey @cjwooo, Thanks for the PR, I have added this to our internal tracker as |
lodash
to resolve CVE (no-changelog)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the long term, we need to remove lodash from the codebase, as it's becoming increasingly stale. But, to address the mentioned CVE, I've updated the codebase to use the single lodash package, and remove all the individual lodash packages.
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## master #6450 +/- ##
==========================================
- Coverage 28.44% 28.37% -0.08%
==========================================
Files 2991 2991
Lines 185943 185943
Branches 20508 20506 -2
==========================================
- Hits 52889 52758 -131
- Misses 132260 132391 +131
Partials 794 794
☔ View full report in Codecov by Sentry. |
* master: (34 commits) feat(editor): Replace root events with event bus events (no-changelog) (#6454) feat(DebugHelper Node): Fix and include in main app (#6406) feat(Webhook Node): Stream binary response in `lastNode.firstEntryBinary` mode (#6463) fix(editor): Update git repo URL validation to prevent using https protocol (#6475) fix(editor): Remove tooltip about SMTP being required to invite user (no-changelog) (#6474) feat: Add support for large files with declarative nodes (#6461) fix(core): Fix the url sent in the password-reset emails (#6466) fix(HTML Node): Prevent XSS in execution-data preview (#6432) fix(Snowflake Node): Upgrade snowflake-sdk to address CVE-2023-34232 (no-changelog) (#6458) refactor(core): Replace lodash's "soft-deprecated" individual packages with `lodash` to resolve CVE (no-changelog) (#6450) fix(editor): Remove `$if`, `$min` and `$max` from code node autocomplete (#6460) fix(editor): Fix DNV header disappearing when scrolling the code editor content (#6459) feat: Remove vue-fragment (no-changelog) (#6456) ci: Prevent e2e failure on `commented` type review (no-changelog) (#6452) fix(LinkedIn Node): Remove unsupported description from image posts (#6446) fix(Split In Batches Node): Add "done" context to allow simple reset (#6437) feat(Gmail Node): Add reply to email (#6453) fix: Remove Vue.component usage and refactor plugins into Vue Plugins (no-changelog) (#6445) fix(editor): Show confirm on pull only when http response status is 409 (#6451) fix(editor): Update data pinning tooltip to match current behaviour (#6436) ... # Conflicts: # packages/nodes-base/nodes/CompareDatasets/GenericFunctions.ts # packages/nodes-base/nodes/Merge/v2/GenericFunctions.ts
Got released with |
The lodash.set package has an open CVE: https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032. The maintainer of Lodash will not release a patched version, and he considers the per-method packages soft-deprecated.
This pull requests replaces uses of the lodash.set package with the regular lodash package that contains all lodash commands.
I'd also recommend to replace all uses of the
lodash.<command>
packages with the regular lodash package, to make management of dependencies easier.