balderdashy / sails

Realtime MVC Framework for Node.js
https://sailsjs.com
MIT License
22.85k stars 1.95k forks source link

Low-severity vulnerability in lodash dependency #7018

Open rachaelshaw opened 4 years ago

rachaelshaw commented 4 years ago

Node version: 10.16.0 Sails version (sails): 1.2.4 ORM hook version (sails-hook-orm): 2.1.1 Sockets hook version (sails-hook-sockets): 2.0.0 Organics hook version (sails-hook-organics): 2.2.0 Grunt hook version (sails-hook-grunt): 4.0.1 Uploads hook version (sails-hook-uploads): n/a DB adapter & version (e.g. sails-mysql@5.55.5): sails-disk 1.1.2 Skipper adapter & version (e.g. skipper-s3@5.55.5): 0.9.0-4


When @eashaw checked for security vulnerabilities yesterday, we saw that sails + a number of related modules we maintain are affected by this lodash vulnerability: image

...luckily, we shouldn't need to make any updates once a fix has been published: the vulnerability is coming in through async and encrypted-attr, which both have loose dependencies on lodash, so the patch should be picked up automatically once it's released. Just wanted to post here so everyone knows it's on our radar and we're keeping an eye on it!

sailsbot commented 4 years ago

@rachaelshaw Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

alxndrsn commented 4 years ago

Is there any plan to switch sails and related libs to use lodash 4.x rather than a fork of lodash 3?

rachaelshaw commented 4 years ago

@alxndrsn not at the moment; we're using _.pluck() all over the place, which would need to change if we upgraded (plus Mike isn't a fan of _.map(), which is what we'd need to switch them all over to)

mikermcneil commented 4 years ago

also just to help clarify for others finding this issue: the vulnerability @rachaelshaw posted about above is in lodash 4.x. Here's JD's response

NachtRitter commented 4 years ago

@mikermcneil nevertheless that issue was fixed and merged https://github.com/lodash/lodash/pull/4759

mikermcneil commented 4 years ago

ah thanks- as of yesterday didn't look to be published yet, but haven't done our daily check yet today so 🤞

johnabrams7 commented 4 years ago

This has been resolved 👍