fix: resolve critical lodash vulnerabilities (transitive via gitbook-plugin-sharing)#372
Conversation
- Added npm overrides to force lodash ^4.17.21 - Addresses GHSA-fvqr-27wr-82fm, GHSA-35jh-r3h4-6jhm, and others - Resolves transitive dependency issues in unmaintained gitbook plugin
|
@mhughes2012 is attempting to deploy a commit to the Suman Kunwar's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR mitigates known critical lodash vulnerabilities introduced transitively (via gitbook-plugin-sharing) by forcing a safe lodash version through dependency override configuration.
Changes:
- Added an npm
overridesrule to forcelodashto^4.17.21.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
add gitbook-plugin-sharing condition Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
updates made based on copilot's recommendations. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "overrides": { | ||
| "gitbook-plugin-sharing": { | ||
| "lodash": "4.17.21" | ||
| } | ||
| }, |
There was a problem hiding this comment.
The npm overrides block here only forces lodash for gitbook-plugin-sharing. This repo also uses other GitBook/Honkit plugins that bring in vulnerable lodash versions (e.g., gitbook-plugin-exercises is documented as depending on lodash 3.x in the existing yarn install log), so npm audit may still report lodash advisories when installing with npm. Consider adding a root-level override for lodash (or additional per-plugin overrides) so all transitive lodash copies resolve to >=4.17.21, and re-run npm audit to confirm the advisories are fully cleared.
| "overrides": { | ||
| "gitbook-plugin-sharing": { | ||
| "lodash": "4.17.21" | ||
| } | ||
| }, | ||
| "resolutions": { | ||
| "lodash": "^4.17.21" | ||
| } |
There was a problem hiding this comment.
overrides (npm) and resolutions (Yarn) are both present, but they specify lodash differently (4.17.21 vs ^4.17.21) and the PR description says it forces ^4.17.21. To avoid inconsistent installs across package managers, align these constraints (either both exact or both ranged) and consider documenting/encoding the supported package manager + minimum npm version (since overrides requires newer npm).
Description
This PR addresses several critical vulnerabilities identified in
lodash(≤ 4.17.20), which is brought in as a transitive dependency viagitbook-plugin-sharing.Since the plugin is currently unmaintained and hasn't updated its dependencies, I have implemented an
overridesblock inpackage.jsonto forcelodashto version^4.17.21.Related Issues
Changes
package.jsonwithnpm overrides.Verification
npm auditlocally; critical vulnerabilities related to lodash are now resolved.