aviemet
commented
6 months ago Thank you for the suggestion. I was wavering on whether to just include all of lodash as a dependency, but went with the individual modules because that's how Inertia imports lodash.isEqual. I think since none of the lodash methods I use are ever exposed to the user, there's no harm in pulling in the full library. In theory, tree shaking should only include the methods I use and only minimally increase package size.
I am writing to bring to your attention a security concern regarding one of the dependencies used in the use-inertia-form package. The package currently relies on lodash.set, a module which has not received updates for several years and is vulnerable to a known security issue, specifically prototype pollution.
As per the security advisory platforms, there is no planned resolution to patch lodash.set and the latest version (4.3.2) still carries this high severity vulnerability. Given that lodash.set was last updated in 2016, it might not receive any future updates or patches.
Considering the above issues, I would like to suggest migrating from lodash.set to using the main lodash library. The main lodash library is actively maintained and regularly updated, which significantly mitigates the risk of similar security vulnerabilities.