Skip to content

fix(deps): update dependency lodash to v4.17.21 [security] #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 28, 2022
Merged

fix(deps): update dependency lodash to v4.17.21 [security] #177

merged 1 commit into from
Apr 28, 2022

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 7, 2022
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
lodash (source) 4.17.10 -> 4.17.21 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2021-23337

lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

CVE-2018-16487

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Recommendation

Update to version 4.17.11 or later.

CVE-2019-1010266

lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.

CVE-2020-28500

All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

CVE-2020-8203

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Release Notes

lodash/lodash

v4.17.21

Compare Source

v4.17.20

Compare Source

v4.17.19

v4.17.16

Compare Source

v4.17.15

Compare Source

v4.17.14

Compare Source

v4.17.13

Compare Source

v4.17.12

Compare Source

v4.17.11

Compare Source

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot added the chore label Mar 7, 2022
@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch 9 times, most recently from e897028 to b08fa22 Compare March 7, 2022 20:44
@renovate renovate bot changed the title fix(deps): update dependency lodash to v4.17.21 [security] fix(deps): update dependency lodash to v4.17.21 [security] - autoclosed Apr 27, 2022
@renovate renovate bot closed this Apr 27, 2022
@renovate renovate bot deleted the renovate/npm-lodash-vulnerability branch April 27, 2022 12:04
@renovate renovate bot changed the title fix(deps): update dependency lodash to v4.17.21 [security] - autoclosed fix(deps): update dependency lodash to v4.17.21 [security] Apr 27, 2022
@renovate renovate bot reopened this Apr 27, 2022
@renovate renovate bot restored the renovate/npm-lodash-vulnerability branch April 27, 2022 14:38
@renovate renovate bot changed the title fix(deps): update dependency lodash to v4.17.21 [security] fix(deps): update dependency lodash to v4.17.21 [security] - autoclosed Apr 27, 2022
@renovate renovate bot closed this Apr 27, 2022
@renovate renovate bot deleted the renovate/npm-lodash-vulnerability branch April 27, 2022 17:12
@renovate renovate bot changed the title fix(deps): update dependency lodash to v4.17.21 [security] - autoclosed fix(deps): update dependency lodash to v4.17.21 [security] Apr 27, 2022
@renovate renovate bot reopened this Apr 27, 2022
@renovate renovate bot restored the renovate/npm-lodash-vulnerability branch April 27, 2022 19:42
@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from b08fa22 to f00dd15 Compare April 28, 2022 00:52
@renovate renovate bot force-pushed the renovate/npm-lodash-vulnerability branch from f00dd15 to 46845c4 Compare April 28, 2022 01:05
@renovate renovate bot merged commit f1b2e75 into master Apr 28, 2022
@renovate renovate bot deleted the renovate/npm-lodash-vulnerability branch April 28, 2022 01:17
@uniibu uniibu mentioned this pull request Nov 4, 2022
Open
@uniibu uniibu mentioned this pull request Dec 25, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

chore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renovate-bot