Closed KevinHughes closed 5 months ago
Hey, I saw this vulnerability and the lodash "Per Method Packages" are no longer actively supported and will be removed in lodash v5 as we can see on their website (https://lodash.com/per-method-packages). The last version of lodash.set is 4.3.2 https://www.npmjs.com/package/lodash.set which is already the version of the dependency in electron-settings. So this package would need to transition from per method packages to lodash directly.
Thanks a lot for already creating the Pull-Request! 👍
I hope it gets merged and pushed through as a new Release soon, as this security issues currently pops up as a very red flag also in our electron projects :/
4.0.3 is live. Please give it a try and let me know if it's working as expected.
It looks like everything is working as expected for me, thank you!
After regenerating our Lockfile which made everything use the new version and remove the old lodash packages, everything seems fine again. Thanks for your fast reaction :)
When making an app using electron 28.2.3 or later, including electron-settings 4.0.2 or 5.0.0 as a dependency causes this output when running
npm install
ornpm audit
:This workaround, which forces npm to override old versions of lodash.set in package.json...
...does not work as it prevents any settings from being written.