Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong version in lodash.pick vulnerability report CVE-2020-8203 #5809

Open
Pfahlf opened this issue Jan 25, 2024 · 8 comments
Open

Wrong version in lodash.pick vulnerability report CVE-2020-8203 #5809

Pfahlf opened this issue Jan 25, 2024 · 8 comments

Comments

@Pfahlf
Copy link

Pfahlf commented Jan 25, 2024
edited

Hi,

It appears that a vulnerability with High severity has been reported with wrong patching version.

Currently latest release is 4.4.0 but for CVE-2020-8203 the patched version is 4.17.19.

For us pnpm audit is failing because of this
@bursache
Copy link

Same for lodash.set and probably some more

@Pfahlf
Copy link
Author

Pfahlf commented Jan 25, 2024
edited

Okay, as workaround if you are using pnpm, add this to the package.json

"pnpm": {
    "overrides": {
      "lodash.pick@>=3.7.0 <4.17.19": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
    }
  }

The solution above is in case lodash is being referenced as a sub-dependecy.

If you are referencing directly any of the affected packages through dependencies or devDependencies, simply reference the commit as following:

"lodash.pick": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"

or:

"lodash.pick": "https://github.com/lodash/lodash/archive/refs/tags/4.17.21.tar.gz"

@arochedy
Copy link

Okay, as workaround if you are using pnpm, add this to the package.json

"pnpm": {
    "overrides": {
      "lodash.pick@>=3.7.0 <4.17.19": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
    }
  }

The solution above is in case lodash is being referenced as a sub-dependecy.

If you are referencing directly any of the affected packages through dependencies or devDependencies, simply reference the commit as following:

"lodash.pick": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"

It's working thank you

for npm I just add

 "overrides": {
      "lodash.pick@>=3.7.0 <4.17.19": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
    }

in package.json

@fionnachan fionnachan mentioned this issue Jan 26, 2024
Merged
zacharygriffee added a commit to zacharygriffee/bring-your-own-storage-utilities that referenced this issue Jan 26, 2024
@zacharygriffee
- remove svelte-awesome from dep list
03da9f1 
- override incorrect lodash.pick vulnerability lodash/lodash#5809
zacharygriffee added a commit to zacharygriffee/bring-your-own-storage-utilities that referenced this issue Jan 26, 2024
@zacharygriffee
- remove svelte-awesome from dep list
4e0348d 
- override incorrect lodash.pick vulnerability lodash/lodash#5809
@causaly-mark
Copy link

Okay, as workaround if you are using pnpm, add this to the package.json

"pnpm": {
    "overrides": {
      "lodash.pick@>=3.7.0 <4.17.19": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
    }
  }

The solution above is in case lodash is being referenced as a sub-dependecy.

If you are referencing directly any of the affected packages through dependencies or devDependencies, simply reference the commit as following:

"lodash.pick": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"

or:

"lodash.pick": "https://github.com/lodash/lodash/archive/refs/tags/4.17.21.tar.gz"

Do I understand correctly that the workaround for this is to replace lodash.pick@4.4.0 with... the current version of the whole of lodash?

@Pfahlf
Copy link
Author

Pfahlf commented Jan 29, 2024

Okay, as workaround if you are using pnpm, add this to the package.json

"pnpm": {
    "overrides": {
      "lodash.pick@>=3.7.0 <4.17.19": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
    }
  }

The solution above is in case lodash is being referenced as a sub-dependecy.
If you are referencing directly any of the affected packages through dependencies or devDependencies, simply reference the commit as following:
"lodash.pick": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
or:
"lodash.pick": "https://github.com/lodash/lodash/archive/refs/tags/4.17.21.tar.gz"

Do I understand correctly that the workaround for this is to replace lodash.pick@4.4.0 with... the current version of the whole of lodash?

Please, if you have any better solution to this workaround feel free to share it instead of complaining.

@causaly-mark
Copy link

Okay, as workaround if you are using pnpm, add this to the package.json

"pnpm": {
    "overrides": {
      "lodash.pick@>=3.7.0 <4.17.19": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
    }
  }

The solution above is in case lodash is being referenced as a sub-dependecy.
If you are referencing directly any of the affected packages through dependencies or devDependencies, simply reference the commit as following:
"lodash.pick": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
or:
"lodash.pick": "https://github.com/lodash/lodash/archive/refs/tags/4.17.21.tar.gz"

Do I understand correctly that the workaround for this is to replace lodash.pick@4.4.0 with... the current version of the whole of lodash?

Please, if you have any better solution to this workaround feel free to share it instead of complaining.

I'n not complaining; I'm asking for clarification. I'm trying to understand the nature of the problem - and whether the workaround fixes the underlying issue.

The reason I ask is that the fix that went into 4.17.19 doesn't actually affect the pick utlilty at all. I don't want to apply a fix if it doesn't actually address the problem.

I'm currently trying to see what I can learn from the other fixed modules (e.g. lodash-es). Will update when I have more concrete information.

@nclavaud
Copy link

@causaly-mark I think this is because the per-method packages are not maintained/released anymore.

See this other, similar issue about another method package: #5808
and https://lodash.com/per-method-packages for the official documentation discouraging their use.

@brickfungus brickfungus mentioned this issue Jan 30, 2024
Closed
@causaly-mark
Copy link

causaly-mark commented Feb 1, 2024
edited

So to follow up on my previous comment:

  1. When the modularized versions of lodash.pick etc. were created, they duplicated code rather than using e.g. the set functionality from other parts of lodash. That has since changed, but it probably means that the mistake fixed in lodash itself, while it doesn't apply directly, is pertinent to lodash.pick (and others) since the naive copying of object properties was duplicated... Therefore an update is wise.
  2. As @nclavaud notes, the modularised packages are now essentially deprecated. Thus, If you use lodash.pick or another modularised lodash subset as a direct dependency in your projects, drop it and replace it with lodash. If you're able to apply it to transitive uses, the solution suggested by @Pfahlf makes sense.

@bcgilliom bcgilliom mentioned this issue Feb 9, 2024
Open
@pedrokohler pedrokohler mentioned this issue Feb 9, 2024
Merged
@joshtrichards joshtrichards mentioned this issue Feb 29, 2024
Open
@Zalk0 Zalk0 mentioned this issue Apr 5, 2024
Merged
@0x-a6 0x-a6 mentioned this issue Apr 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nclavaud @arochedy @Pfahlf @bursache @causaly-mark