Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency Issues #213

Closed
nothingismagick opened this issue Mar 24, 2019 · 3 comments
Closed

Dependency Issues #213

nothingismagick opened this issue Mar 24, 2019 · 3 comments

Comments

@nothingismagick
Copy link

You are using the modularized versions of lodash, and these are outdated. Specifically lodash.merge is vulnerable to prototype pollution: https://snyk.io/vuln/SNYK-JS-LODASHMERGE-173732

I would recommend moving to lodash 4.17.11 or greater.

Here are the packages you are using:

    "lodash.isobject": "^3.0.2",
    "lodash.isplainobject": "^4.0.6",
    "lodash.merge": "^4.6.1",
    "lodash.omit": "^4.5.0",
    "lodash.trim": "^4.5.1",

Is there a reason not to just import like this:

const merge = require('lodash/merge');
@marshallswain
Copy link
Member

Hi, @nothingismagick. Thanks for notifying me about this. I didn't realize they were out of sync with the rest of lodash. The goal was to keep the package size as small as possible. The new build system supports tree shaking, so it should be an easy switch, now.

@nothingismagick
Copy link
Author

nothingismagick commented Mar 25, 2019 via email

@marshallswain
Copy link
Member

marshallswain commented Apr 1, 2019
edited

I believe I have all of these fixed in my current PR for feathers-vuex@2.0.x.

#216

@nothingismagick nothingismagick mentioned this issue May 2, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marshallswain @nothingismagick