NVD CVE-2020-8203 (BDSA-2020-1674) Issue with lodash-es 4.17.15

[somuda86]

Please upgrade to lodash-es 4.17.20

https://www.openhub.net/p/616506

[somuda86]

@tobiasengelhardt This is a high priority security issue. Please comment. angular tree component is using vulnerable lodash version. Thanks

[tobiasengelhardt]

@somuda86 It's sadly not an easy update. There is no lodash-es 4.17.20, we are using the most recent version. They seem to have issues publishing a new version. I hope they fix this soon.

[matiassantos]

What a pity., this issue will prevent the usage of this component in production environments until lodash fixes the issue. Do you have an estimate of the work needed to fix this project when the lodash version is updated to 4.17.20? any known breaking functionalities?

[tobiasengelhardt]

Looking at the changelog of lodash they did only bugfixes. If they finally publish 4.17.20 it should be just a simple package update.

[tobiasengelhardt]

Because there seems to be no real progress regarding the release of a new lodash version we started looking into removing lodash as a dependency. The pr/remove-lodash branch has lodash removed and all our build tests are passing (feel we to look, leave feedback and input). This is still a bigger change so we will do some more testing to see if it everything is working correctly. Hopefully there will be a new version released within the next two weeks. If lodash release a new version before we are done testing there will of course be a new version with the updated lodash version asap.

[matiassantos]

Sure! i'd be glad to help

[somuda86]

@tobiasengelhardt 4.17.20.has been released. But my 2 cents on removing that dependency

[tobiasengelhardt]

Fix is released in 10.0.2. We will continue working on removing lodash.