Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

lodash Prototype Pollution high security vulnerability

See original GitHub issue

Cheerio needs to update it’s lodash package to address the High severity vulnerability found in lodash as per: https://snyk.io/vuln/SNYK-JS-LODASH-450202

Lodash appears to have addressed the problem w/4.17.4 as per: https://github.com/lodash/lodash/issues/4348

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:13 (4 by maintainers)

Top GitHub Comments

2reactions

boutellcommented, Jul 29, 2020

I sat down to offer a PR for this, but it looks like cheerio’s master branch already has no non-dev “npm audit” warnings left. Any chance of a release? It’s becoming a barrier to adoption unfortunately. Appreciate your time!

1reaction

boutellcommented, Aug 27, 2020

I will put this on my “contribute when I’m able” list. We really value this module at ApostropheCMS!

On Thu, Aug 27, 2020 at 11:18 AM Tom Boutell tom@apostrophecms.com wrote:

I see. Shouldn’t be hard to figure out when they diverged from the git logs.

On Thu, Aug 27, 2020 at 9:58 AM Felix Böhm notifications@github.com wrote:

The biggest issue right now is that both the 1.0 and the master branch have valid changes that move the codebase forward. The changes from master have to be ported to the 1.0 branch. I know this is tedious work, and any help would be greatly appreciated.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cheeriojs/cheerio/issues/1346#issuecomment-681965938, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27NPWNIB4MRLHPDMFZTSCZQ67ANCNFSM4ITAZJHQ .

–

THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

–

THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

Top Results From Across the Web

Prototype Pollution in lodash - Snyk Vulnerability Database

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing ...

Prototype Pollution in lodash · CVE-2020-8203 - GitHub

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of...

Prototype pollution: The dangerous and underrated ...

In early 2019, security researchers at Snyk disclosed details of a severe vulnerability in Lodash, a popular JavaScript library, which allowed ...

Lodash : Security vulnerabilities - CVE Details

# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2021‑23337 94 2021‑02‑15 2022‑09‑13 6.5 None 2 CVE‑2020‑28500 DoS 2021‑02‑15 2022‑09‑13...

Lodash: Understanding the recent vulnerability and how we ...

Lodash versions prior to 4.17.19 are vulnerable to a Prototype Pollution (CVE-2020-8203). The function zipObjectDeep() allows a malicious user to modify the ...