element UI Utils still uses lodash 4.17.10

[kailashrdave]

element UI Utils still uses lodash 4.17.10

could you please update it to latest lodash version.

[KevinZoro]

是没人维护了吗

[spyshiv]

Lodash 4.17.10, which has a known vulnerability (CVE-2019-10744) reported by the National Vulnerability Database. You can find more details about the vulnerability. Source: https://nvd.nist.gov/vuln/detail/cve-2019-10744

This vulnerability could potentially affect applications using Element UI. It would be greatly beneficial to update Lodash to a version that includes the fix for this issue. The latest versions of Lodash have addressed this security concern.

Could the team prioritize upgrading Lodash to a more recent and secure version? This will help ensure that applications using Element UI remain secure.

[shashankgaurav17]

@webvs2 @csvwolf I found that we have hardcoded the lodash version in source code, instead it should be taken from package dependency version. The file location is lib/utils/lodash.js and it is being used as

var VERSION='4.17.10';

@element-bot when can we expect this to be resolved ?

[webvs2]

I have received your attention, I will actively explain the problem to the official to update it

[danthioolea]

@webvs2 , FYI you wrote in this comment on 26 Oct 2023 of the duplicate issue ( https://github.com/ElemeFE/element/issues/22445#issuecomment-1780301833) that issue will be fixed in next release. Hope to see the fix soon. 谢谢！

[shashankgaurav17]

@webvs2 Can you please prioritise this issue and get it fixed asap because it is security concern for everyone who is using element-ui.

[webvs2]

@shashankgaurav17 @danthioolea @spyshiv @kailashrdave @KevinZoro

The security issues have been fixed and 100% of the test cases have passed, if you have any problems, contact me again. Use long-term support versions: https://www.npmjs.com/package/elementui-lts?activeTab=readme

[shashankgaurav17]

Hi @webvs2, I see that the issue has been resolved in the new "elementui-lts" repository. However, a new problem has arisen. In some places, files are being imported from "element-ui" instead of "elementui-lts." This is causing build issues. Could you please check and resolve this?

Few build errors: ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/utils/clickoutside' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/mixins/emitter' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/scrollbar' in '/Users/USER/TEST/REPO/node_modules/elementui-lts/lib'

[webvs2]

Hi @webvs2, I see that the issue has been resolved in the new "elementui-lts" repository. However, a new problem has arisen. In some places, files are being imported from "element-ui" instead of "elementui-lts." This is causing build issues. Could you please check and resolve this?

Few build errors: ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/utils/clickoutside' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/mixins/emitter' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/scrollbar' in '/Users/USER/TEST/REPO/node_modules/elementui-lts/lib'

Oh, I'll update this question. Thanks for finding out

[shashankgaurav17]

Thanks for quick reply @webvs2 . You can use npm imports to alias package to resolve this.

"imports": { "element-ui/": "./elementui-lts/" }