High severity security alert in Lodash via yargs-unparser

[soryy708]

Prerequisites

• [x] Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
• [x] Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
• [x] 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
• [x] Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

Mocha depends on yargs-unparser, which depends on Lodash, which is vulnerable to prototype pollution in versions < 4.17.13. This does not show in npm audit, rather on GitHub if you publish a repository that depends on mocha (^6.1.4).

Steps to Reproduce

1. Create a new git repository
2. npm i mocha --save-dev
3. Upload to GitHub
4. Get a message saying "We found a potential security vulnerability in one of your dependencies. "

Expected behavior: No vulnerabilities in Mocha

Actual behavior:

We found a potential security vulnerability in one of your dependencies. Only the owner of this repository can see this message. 1 lodash vulnerability found in package-lock.json CVE-2019-10744 Affected versions of lodash are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Reproduces how often: Every time

Versions

• The output of mocha --version and node node_modules/.bin/mocha --version: 6.1.4 (both)
• The output of node --version: v10.13.0
• Your operating system
  • name and version: Windows 10
  • architecture (32 or 64-bit): 64
• Your shell (e.g., bash, zsh, PowerShell, cmd): cmd
• Your browser and version (if running browser tests): N/A
• Any third-party Mocha-related modules (and their versions): None
• Any code transpiler (e.g., TypeScript, CoffeeScript, Babel) being used (and its version): N/A

Additional Information

None

[Whathecode]

Confirmed. This is also reported in the yargs-unparser repo: https://github.com/yargs/yargs-unparser/issues/35

However, yargs-unparser specifies the dependency as "requires": { "lodash": "^4.17.11" }. Thus, a temporary workaround is making sure a more recent version of lodash (>=4.17.13) is installed.