Open kailashrdave opened 7 months ago
是没人维护了吗
Lodash 4.17.10, which has a known vulnerability (CVE-2019-10744) reported by the National Vulnerability Database. You can find more details about the vulnerability. Source: https://nvd.nist.gov/vuln/detail/cve-2019-10744
This vulnerability could potentially affect applications using Element UI. It would be greatly beneficial to update Lodash to a version that includes the fix for this issue. The latest versions of Lodash have addressed this security concern.
Could the team prioritize upgrading Lodash to a more recent and secure version? This will help ensure that applications using Element UI remain secure.
@webvs2 @csvwolf I found that we have hardcoded the lodash version in source code, instead it should be taken from package dependency version.
The file location is lib/utils/lodash.js
and it is being used as
var VERSION='4.17.10';
@element-bot when can we expect this to be resolved ?
I have received your attention, I will actively explain the problem to the official to update it
@webvs2 , FYI you wrote in this comment on 26 Oct 2023 of the duplicate issue ( https://github.com/ElemeFE/element/issues/22445#issuecomment-1780301833) that issue will be fixed in next release. Hope to see the fix soon. 谢谢!
@webvs2 Can you please prioritise this issue and get it fixed asap because it is security concern for everyone who is using element-ui.
@shashankgaurav17 @danthioolea @spyshiv @kailashrdave @KevinZoro
The security issues have been fixed and 100% of the test cases have passed, if you have any problems, contact me again. Use long-term support versions: https://www.npmjs.com/package/elementui-lts?activeTab=readme
Hi @webvs2, I see that the issue has been resolved in the new "elementui-lts" repository. However, a new problem has arisen. In some places, files are being imported from "element-ui" instead of "elementui-lts." This is causing build issues. Could you please check and resolve this?
Few build errors: ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/utils/clickoutside' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/mixins/emitter' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/scrollbar' in '/Users/USER/TEST/REPO/node_modules/elementui-lts/lib'
Hi @webvs2, I see that the issue has been resolved in the new "elementui-lts" repository. However, a new problem has arisen. In some places, files are being imported from "element-ui" instead of "elementui-lts." This is causing build issues. Could you please check and resolve this?
Few build errors: ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/utils/clickoutside' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/mixins/emitter' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/scrollbar' in '/Users/USER/TEST/REPO/node_modules/elementui-lts/lib'
Oh, I'll update this question. Thanks for finding out
Thanks for quick reply @webvs2 . You can use npm imports to alias package to resolve this.
"imports": { "element-ui/": "./elementui-lts/" }
element UI Utils still uses lodash 4.17.10
could you please update it to latest lodash version.