From 5d2093592db2db0b0b211f5c49d3caa08c343031 Mon Sep 17 00:00:00 2001 From: Shaun Ek Date: Thu, 30 Dec 2021 13:16:05 -0700 Subject: [PATCH] fix(): use full lodash instead of per-method pkgs This change remediates a high severity vulnerability in the lodash.set package dependency by replacing lodash.set, lodash.has, and lodash.get packages with the full lodash. The full lodash is required because the per-method packages are abandoned and no longer updated. This change also removes an uncessary eslint rule that was giving an error when running `npm run lint`. See https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md#version-800-2021-02-21 for more detail. --- .eslintrc.js | 1 - lib/config.service.ts | 4 +-- lib/utils/merge-configs.util.ts | 2 +- package-lock.json | 51 +++------------------------------ package.json | 8 ++---- 5 files changed, 8 insertions(+), 58 deletions(-) diff --git a/.eslintrc.js b/.eslintrc.js index f678df76..c34fdb3c 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -9,7 +9,6 @@ module.exports = { 'plugin:@typescript-eslint/eslint-recommended', 'plugin:@typescript-eslint/recommended', 'prettier', - 'prettier/@typescript-eslint', ], root: true, env: { diff --git a/lib/config.service.ts b/lib/config.service.ts index 598ad52d..f92dac21 100644 --- a/lib/config.service.ts +++ b/lib/config.service.ts @@ -1,8 +1,6 @@ import { Inject, Injectable, Optional } from '@nestjs/common'; import { isUndefined } from '@nestjs/common/utils/shared.utils'; -import get from 'lodash.get'; -import has from 'lodash.has'; -import set from 'lodash.set'; +import { get, has, set } from 'lodash'; import { CONFIGURATION_TOKEN, VALIDATED_ENV_PROPNAME, diff --git a/lib/utils/merge-configs.util.ts b/lib/utils/merge-configs.util.ts index 6b89ca48..5d6ef86b 100644 --- a/lib/utils/merge-configs.util.ts +++ b/lib/utils/merge-configs.util.ts @@ -1,4 +1,4 @@ -import set from 'lodash.set'; +import { set } from 'lodash'; export function mergeConfigObject( host: Record, diff --git a/package-lock.json b/package-lock.json index 300b2e6c..283704b6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1883,38 +1883,11 @@ } }, "@types/lodash": { - "version": "4.14.149", - "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.149.tgz", - "integrity": "sha512-ijGqzZt/b7BfzcK9vTrS6MFljQRPn5BFWOx8oE0GYxribu6uV+aA9zZuXI1zc/etK9E8nrgdoF2+LgUw7+9tJQ==", + "version": "4.14.178", + "resolved": "https://registry.npmjs.org/@types/lodash/-/lodash-4.14.178.tgz", + "integrity": "sha512-0d5Wd09ItQWH1qFbEyQ7oTQ3GZrMfth5JkbN3EvTKLXcHLRDSXeLnlvlOn0wvxVIwK5o2M8JzP/OWz7T3NRsbw==", "dev": true }, - "@types/lodash.get": { - "version": "4.4.6", - "resolved": "https://registry.npmjs.org/@types/lodash.get/-/lodash.get-4.4.6.tgz", - "integrity": "sha512-E6zzjR3GtNig8UJG/yodBeJeIOtgPkMgsLjDU3CbgCAPC++vJ0eCMnJhVpRZb/ENqEFlov1+3K9TKtY4UdWKtQ==", - "dev": true, - "requires": { - "@types/lodash": "*" - } - }, - "@types/lodash.has": { - "version": "4.5.6", - "resolved": "https://registry.npmjs.org/@types/lodash.has/-/lodash.has-4.5.6.tgz", - "integrity": "sha512-SpUCvze0uHilQX/mt4K/cak5OQny1pVfz3pJx6H70dE3Tvw9s7EtlMK+vY6UBS+PQgETDfv6vhwoa3FPS2wrhg==", - "dev": true, - "requires": { - "@types/lodash": "*" - } - }, - "@types/lodash.set": { - "version": "4.3.6", - "resolved": "https://registry.npmjs.org/@types/lodash.set/-/lodash.set-4.3.6.tgz", - "integrity": "sha512-ZeGDDlnRYTvS31Laij0RsSaguIUSBTYIlJFKL3vm3T2OAZAQj2YpSvVWJc0WiG4jqg9fGX6PAPGvDqBcHfSgFg==", - "dev": true, - "requires": { - "@types/lodash": "*" - } - }, "@types/minimist": { "version": "1.2.2", "resolved": "https://registry.npmjs.org/@types/minimist/-/minimist-1.2.2.tgz", @@ -6572,18 +6545,7 @@ "lodash": { "version": "4.17.21", "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, - "lodash.get": { - "version": "4.4.2", - "resolved": "https://registry.npmjs.org/lodash.get/-/lodash.get-4.4.2.tgz", - "integrity": "sha1-LRd/ZS+jHpObRDjVNBSZ36OCXpk=" - }, - "lodash.has": { - "version": "4.5.2", - "resolved": "https://registry.npmjs.org/lodash.has/-/lodash.has-4.5.2.tgz", - "integrity": "sha1-0Z9NwQlQWMzL4rDN9O4P5Ko3yGI=" + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" }, "lodash.memoize": { "version": "4.1.2", @@ -6597,11 +6559,6 @@ "integrity": "sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==", "dev": true }, - "lodash.set": { - "version": "4.3.2", - "resolved": "https://registry.npmjs.org/lodash.set/-/lodash.set-4.3.2.tgz", - "integrity": "sha1-2HV7HagH3eJIFrDWqEvqGnYjCyM=" - }, "log-symbols": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-4.1.0.tgz", diff --git a/package.json b/package.json index 01abb468..bc41a493 100644 --- a/package.json +++ b/package.json @@ -20,9 +20,7 @@ "dependencies": { "dotenv": "10.0.0", "dotenv-expand": "5.1.0", - "lodash.get": "4.4.2", - "lodash.has": "4.5.2", - "lodash.set": "4.3.2", + "lodash": "4.17.21", "uuid": "8.3.2" }, "devDependencies": { @@ -33,9 +31,7 @@ "@nestjs/platform-express": "8.2.4", "@nestjs/testing": "8.2.4", "@types/jest": "27.0.3", - "@types/lodash.get": "4.4.6", - "@types/lodash.has": "4.5.6", - "@types/lodash.set": "4.3.6", + "@types/lodash": "4.14.178", "@types/node": "16.11.17", "@types/uuid": "8.3.3", "@typescript-eslint/eslint-plugin": "5.8.1",