search

retextjs / retext-spell

plugin to check spelling
https://unifiedjs.com
MIT License
71 stars 16 forks source link

Possible security issue with lodash.includes #18

Closed x4121 closed 4 years ago

x4121 commented 4 years ago

Possible security issue with lodash.includes

I received a warning from Sonatype DepShield that retext-spell is using a vulnerable version of lodash.includes and points to this advisory.

So maybe you can check if this repo can be updated to lodash 4.17.5.

I'm not too experienced with JavaScript, but this should be possible by replacing

package.json:30
- "lodash.includes": "^4.2.0",
+ "lodash": ">= 4.17.5",

and

index.js:7
- var includes = require('lodash.includes')
+ var includes = require('lodash/includes')

Steps to reproduce

If you want to get the same report, either enable Sonatype DepShield in your GitHub account or create a new repository using retext-spell and only enable DepShield for this repository (you can limit access to single repos on setup).

ChristianMurphy commented 4 years ago

@x4121 pull requests are welcome

Murderlon commented 4 years ago

The vulnerable functions are defaultsDeep, merge, and mergeWith which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.

lodash.includes in this project is not susceptible to this vulnerability. This is a non-issue.