Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency lodash to 4.17.21 [security] #132

Merged
merged 1 commit into from
Jun 12, 2021
Merged

chore(deps): update dependency lodash to 4.17.21 [security] #132

merged 1 commit into from
Jun 12, 2021

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 8, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change
lodash 4.17.4 -> 4.17.21

GitHub Vulnerability Alerts

CVE-2018-3721

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.5 or later.

CVE-2018-16487

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

CVE-2019-10744

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.12 or later.

CVE-2019-1010266

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

CVE-2020-8203

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

CVE-2021-23337

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Configuration

📅 Schedule: "" in timezone America/New_York.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch 8 times, most recently from dc476b2 to 862b2d0 Compare June 11, 2021 19:35
@renovate renovate bot requested a review from a team June 11, 2021 19:35
@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch 3 times, most recently from 12d72a1 to c59e826 Compare June 11, 2021 21:19
@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch 2 times, most recently from 0aff2f9 to a681adf Compare June 12, 2021 00:45
@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from a681adf to 7642f78 Compare June 12, 2021 01:22
@stvstnfrd stvstnfrd merged commit d65bccd into master Jun 12, 2021
@stvstnfrd stvstnfrd deleted the renovate/npm-lodash-vulnerability branch June 12, 2021 01:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stvstnfrd stvstnfrd stvstnfrd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@stvstnfrd @renovate-bot