Skip to content

Lodash dependency causes prototype pollution issue: can you use another package instead of lodash? #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
marcoippolito opened this issue Jul 2, 2020 · 7 comments · Fixed by #135
Closed

Lodash dependency causes prototype pollution issue: can you use another package instead of lodash? #134

marcoippolito opened this issue Jul 2, 2020 · 7 comments · Fixed by #135
Milestone
v5

Comments

@marcoippolito
Copy link

│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @vue/cli-service > webpack-merge > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1523

https://www.npmjs.com/advisories/1523 : "No fix is currently available. Consider using an alternative package until a fix is made available."

webpack-merge@4.2.2

Can you use another package instead of lodash?
@bebraw
Copy link
Member

bebraw commented Jul 2, 2020

What would be a good alternative? I can resolve this in the next major version.

@marcoippolito
Copy link
Author

@bebraw I'm not that expert of Lodash.
Just looking around I found these info:

@bebraw
Copy link
Member

bebraw commented Jul 2, 2020 via email

@marcoippolito
Copy link
Author

@bebraw Thank you very much!!!

bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
refactor: Remove lodash differenceWith from the project

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
5482ee4 
Related to #134.
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
refactor: Drop dependency on lodash isFunction
d78bc61 
Related to #134.
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
fix: Drop dependency on isPlainObject
305cb2b 
Related to #134.
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
refactor: Replace lodash mergeWith at join-arrays with a custom one
a08e4fd 
Related to #134.
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
refactor: Use custom mergeWith at index as well
cdebe9e 
Related to #134.
@bebraw bebraw added this to the v5 milestone Jul 3, 2020
@bebraw
Copy link
Member

bebraw commented Jul 3, 2020

I've done this at the develop branch and the change is going to be included to the next major version.

@bebraw bebraw mentioned this issue Jul 3, 2020
Merged
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
refactor: Remove lodash differenceWith from the project
fa2c71f 
Related to #134.
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
refactor: Drop dependency on lodash isFunction
23d24a4 
Related to #134.
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
fix: Drop dependency on isPlainObject
d2d0639 
Related to #134.
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
refactor: Replace lodash mergeWith at join-arrays with a custom one
0b81865 
Related to #134.
bebraw added a commit that referenced this issue Jul 3, 2020
@bebraw
refactor: Use custom mergeWith at index as well
366d0be 
Related to #134.
@bebraw bebraw mentioned this issue Jul 3, 2020
Closed
@marcoippolito
Copy link
Author

I've done this at the develop branch and the change is going to be included to the next major version.

Thank you very much!!!

@bebraw
Copy link
Member

bebraw commented Jul 3, 2020

@marcoippolito Check #136 for the beta.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v5
Development

Successfully merging a pull request may close this issue.

v5 - TypeScript support and much more survivejs/webpack-merge
2 participants
@bebraw @marcoippolito