Prototype pollution issue with lodash dependency

[taltal78]

Hi,
Using the latest release 5.9.0 yields security issue:

✗ Prototype Pollution [High Severity][https://snyk.io/vuln/SNYK-JS-LODASH-590103] in [email protected]
introduced by [email protected] > [email protected] and 1 other path(s)
This issue was fixed in versions: 4.17.20

Is there planned fix?
thanks,
Tal

[goce-cz]

Hello,

First of all, let me apologize for a rather long radio silence. The previous maintainer left the company and it took us a while to replace him on all fronts.

I'm planning to do a patch release with some dependencies bumped this week (including lodash).

[Shinigami92]

@goce-cz Are you interested in a TypeScript enthusiast?
I migrated the code to TS a while ago and I used this lib for some of my projects.
Sadly currently I'm personally not involved in any lib that uses this repo but I really like it 🙂

[goce-cz]

@Shinigami92 Sure, give me some time to do a proper triage of the issues and then you can pick some work to do.

Thanks in advance!

[Shinigami92]

@taltal78 Are you sure this is coming from node-pg-migrate? I checked out the v5.9.0 tag and run npm audit. This reported me currently only vulnerabilities for devDependencies and nothing was from lodash 🤔

Also the lodash dependency is annotated with a tilde ~ so it should automatically use the newest fix version.

---

@goce-cz But reading the code that uses lodash, it seems that we can easily remove the lodash dependency at all, because only few functions from lodash are used.

• isArray can be replaced with native Array.isArray
• map
• mapValues
• chain
• intersection
• keys

I can try to create a PR for that the next few days

[taltal78]

@taltal78 Are you sure this is coming from node-pg-migrate? I checked out the v5.9.0 tag and run npm audit. This reported me currently only vulnerabilities for devDependencies and nothing was from lodash 🤔

Also the lodash dependency is annotated with a tilde ~ so it should automatically use the newest fix version.

@goce-cz But reading the code that uses lodash, it seems that we can easily remove the lodash dependency at all, because only few functions from lodash are used.

• isArray can be replaced with native Array.isArray
• map
• mapValues
• chain
• intersection
• keys

I can try to create a PR for that the next few days

I just executed snyk test - this is output from snyk.
anyway lodash released new version so its an easy fix.

[Shinigami92]

If you (@taltal78) remove your node_modules and package-lock.json (or yarn.lock) and then reinstall / regenerate these with npm install (or yarn), does it still report it?
I question that myself (and want to gain the knowledge) if something in your setup may be broken.

As you can see here, in a clean installed environment, both (npm and yarn) shows me that lodash 4.17.21 was installed and there is no direct dependency to <= 4.17.15.

So with node-pg-migrate 5.9.0 you should be able to resolve this issue on your side by just clean up your files.

[taltal78]

Thanks @Shinigami92 ,
It seems indeed there are other dependent libraries that uses lodash 4.19.0 , and so this was the library also used for node-pg-migrate.
Thanks!

[goce-cz]

I'm glad guys that you sorted this out on your own 🙏

Thanks to @Shinigami92 I just realized that bumping the deps in package-lock.json as the renovate-bot suggests won't have any effect in the apps that use node-pg-migrate as these are free to use more recent versions due to the ^ or ~ ranges.

I'm holding off on the release until there's something meaningful to be shipped.