Is it correct that lodash v4.0 is still base on underscore 1.8.3?

lodash / lodash

A modern JavaScript utility library delivering modularity, performance, & extras.

https://lodash.com/

Other

59.63k stars 7.02k forks source link

Is it correct that lodash v4.0 is still base on underscore 1.8.3? #5579

Closed tedyyu closed 1 year ago

tedyyu commented 1 year ago

/**
 * @license
 * Lodash <https://lodash.com/>
 * Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
 * Released under MIT license <https://lodash.com/license>
 *** Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>**
 * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
 */

seen in https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.min.js https://cdn.jsdelivr.net/npm/lodash@4.17.21/lodash.js

latest underscore version is v1.13.6. Is it possible that this is somehow not updated when generating the production js file?

another question: I assume lodash has no dependency on underscore, right? "Base on" just means the API compatibility. Correct me if I'm wrong.

Arun-Rangasamy commented 1 year ago

@jdalton @jashkenas @falsyvalues @bnjmnt4n @blikblum...

Our security scanning team is behind us, since the underscore.js version 1.8.3 has got the below vulnerability:

CVE-2021-23358: Affected version of Underscore.js are vulnerable to Arbitrary Code Injection via the template function, particularly when the variable option is taken from _.templateSettings as it is not sanitized.

Can you please confirm if latest release of lodash is affected because of this? and how can we remediate this vulnerability?

falsyvalues commented 1 year ago

Hi @tedyyu lodash doesn't have underscore as dependency.

@Arun-Rangasamy Currently we have no opened CVE in lodash https://security.snyk.io/package/npm/lodash

jaceklubzinski commented 5 months ago

Hi @falsyvalues thanks for the clarification, additional question, if lodash doesn't have underscore library as a dependency, why it keeps showing up there triggering different security scanners :thinking: Is there any way to get rid of this message?

obraz

Trott commented 5 months ago

if lodash doesn't have underscore library as a dependency, why it keeps showing up there triggering different security scanners 🤔

This seems like a bug in the security scanner you are using, not lodash.

jdalton commented 5 months ago

@jaceklubzinski as @Trott wrote this is a bug in the security scanners.