fix(): use full lodash instead of per-method pkgs #792
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change remediates a high severity vulnerability in the lodash.set
package dependency by replacing lodash.set, lodash.has, and lodash.get
packages with the full lodash. The full lodash is required because the
per-method packages are abandoned and no longer updated. #791
This change also removes an unnecessary eslint rule that was giving an
error when running
npm run lint
. See https://github.com/prettier/eslint-config-prettier/blob/main/CHANGELOG.md#version-800-2021-02-21 for more detail.PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Issue Number: #791 The lodash.set dependency has a Prototype Pollution vulnerability. A call to lodash's
set
method like thisset({} "__proto__[test]", "123");
will result in theObject.prototype
being modified.What is the new behavior?
Using the full lodash dependency this vulnerability is no longer present. No change in functionality
Does this PR introduce a breaking change?
Other information
Snyk security bulletin describing the vuln: https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032
Original HackerOne report: https://hackerone.com/reports/864701