Closed metters closed 1 year ago
This change originates from a dependabot alert:
# Prototype Pollution in lodash
The latest possible version that can be installed is 3.6.2 because of the following conflicting dependency:
`gulp-download@0.0.1 requires lodash.template@^3.0.0 via a transitive dependency on gulp-util@3.0.8`
The earliest fixed version is 4.5.0.
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Recommendation
Update to version 4.17.12 or later.
These vulnerabilites are not an issue, since you would only run the gulp scripts locally. Nevertheless, I agree it is better to use dependencies that are maintained. Thanks for the PR!
gulp-download has not been updated since 9 years! It contains gulp-util, which has been deprecated.
I looked for alternatives and believe that gulp-download-stream is sufficient.
README
-file the behaviour seems to be the same as the other dependencygulp-util
contains dependencies, which might contain security issues (I am no expert!)Replacing this indeed removes a lot of lodash dependencies and
npm install
shows that the change removes one critical issue: Beforefound 20 vulnerabilities (7 low, 3 moderate, 9 high, 1 critical)
Afterfound 19 vulnerabilities (7 low, 3 moderate, 9 high)