Closed ab90467 closed 3 years ago
Thanks. We'll take a look at this and make sure there are no other problematic dependencies before putting out a patch.
It may not be possible for us to patch this immediately, though. One issue is that we haven't been using Snyk, we've been using npm audit
, which does not seem to know about this vulnerability— so our regular CI process won't be able to tell whether we have really fixed the issue. But also, it may be hard to really stamp out every reference to lodash 4.x; it is a transitive dependency of very many packages, not just node-cache, and it may take a while to determine whether all of them have patches to address this.
This will also have to be done at the same time as dropping support for Node v6 and 7 (since node-cache v5 has dropped it). Those have been EOL for a while, but to officially drop compatibility with them we would normally put out a new major version of our own package and do a more general dependency update.
As I suspected, it wasn't possible to address this in v5.x of our SDK due to the Node compatibility requirements, but it has been fixed in the upcoming 6.0.0 release. There is a preliminary 6.0.0-rc.1 version out now so you can verify that. The 6.0.0 GA release should be done by the end of this week.
Vulnerable module: lodash Fixed in version: 4.17.20 Introduced through: launchdarkly-node-server-sdk@5.14.0
Detailed paths Introduced through: bulder-bank@1.0.0 › launchdarkly-node-server-sdk@5.14.0 › node-cache@4.2.1 › lodash@4.17.19 Remediation: Your dependencies are out of date, otherwise you would be using a newer lodash than lodash@4.17.19..