element icon indicating copy to clipboard operation
element copied to clipboard

Published 20 hours ago verified publisher icon ElemeFE

element UI Utils still uses lodash 4.17.10

Open kailashrdave opened this issue 1 year ago • 20 comments

element UI Utils still uses lodash 4.17.10

could you please update it to latest lodash version.

kailashrdave avatar Nov 16 '23 14:11 kailashrdave

是没人维护了吗

KevinZoro avatar May 20 '24 05:05 KevinZoro

Lodash 4.17.10, which has a known vulnerability (CVE-2019-10744) reported by the National Vulnerability Database. You can find more details about the vulnerability. Source: https://nvd.nist.gov/vuln/detail/cve-2019-10744

This vulnerability could potentially affect applications using Element UI. It would be greatly beneficial to update Lodash to a version that includes the fix for this issue. The latest versions of Lodash have addressed this security concern.

Could the team prioritize upgrading Lodash to a more recent and secure version? This will help ensure that applications using Element UI remain secure.

spyshiv avatar May 20 '24 06:05 spyshiv

@webvs2 @csvwolf I found that we have hardcoded the lodash version in source code, instead it should be taken from package dependency version. The file location is lib/utils/lodash.js and it is being used as

var VERSION='4.17.10';

@element-bot when can we expect this to be resolved ?

shashankgaurav17 avatar May 20 '24 06:05 shashankgaurav17

I have received your attention, I will actively explain the problem to the official to update it

webvs2 avatar May 20 '24 07:05 webvs2

@webvs2 , FYI you wrote in this comment on 26 Oct 2023 of the duplicate issue ( https://github.com/ElemeFE/element/issues/22445#issuecomment-1780301833) that issue will be fixed in next release. Hope to see the fix soon. 谢谢!

danthioolea avatar May 20 '24 09:05 danthioolea

@webvs2 Can you please prioritise this issue and get it fixed asap because it is security concern for everyone who is using element-ui.

shashankgaurav17 avatar Jul 03 '24 10:07 shashankgaurav17

@shashankgaurav17 @danthioolea @spyshiv @kailashrdave @KevinZoro

The security issues have been fixed and 100% of the test cases have passed, if you have any problems, contact me again. Use long-term support versions: https://www.npmjs.com/package/elementui-lts?activeTab=readme

webvs2 avatar Jul 05 '24 08:07 webvs2

Hi @webvs2, I see that the issue has been resolved in the new "elementui-lts" repository. However, a new problem has arisen. In some places, files are being imported from "element-ui" instead of "elementui-lts." This is causing build issues. elementui-lts Could you please check and resolve this?

Few build errors: ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/utils/clickoutside' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/mixins/emitter' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/scrollbar' in '/Users/USER/TEST/REPO/node_modules/elementui-lts/lib'

shashankgaurav17 avatar Jul 08 '24 09:07 shashankgaurav17

Hi @webvs2, I see that the issue has been resolved in the new "elementui-lts" repository. However, a new problem has arisen. In some places, files are being imported from "element-ui" instead of "elementui-lts." This is causing build issues. elementui-lts Could you please check and resolve this?

Few build errors: ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/utils/clickoutside' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/mixins/emitter' ModuleNotFoundError: Module not found: Error: Can't resolve 'element-ui/lib/scrollbar' in '/Users/USER/TEST/REPO/node_modules/elementui-lts/lib'

Oh, I'll update this question. Thanks for finding out

webvs2 avatar Jul 08 '24 09:07 webvs2

Thanks for quick reply @webvs2 . You can use npm imports to alias package to resolve this.

"imports": { "element-ui/": "./elementui-lts/" }

shashankgaurav17 avatar Jul 08 '24 09:07 shashankgaurav17

Hi @webvs2 , any updates on the above issue. We need to resolve it immediately. Its kinda blocker for us.

shashankgaurav17 avatar Jul 09 '24 05:07 shashankgaurav17

I understand, and I apologize for the security issues and processing time that this issue has caused, and I also recommend that people gradually use the lts version, which I have been working on recently

webvs2 avatar Jul 09 '24 06:07 webvs2

Hi @webvs2 , Could you please let me know when we can expect this to be fixed? We need it addressed as soon as possible due to security issue. Thank you for understanding and your prompt assistance is invaluable.

shashankgaurav17 avatar Jul 09 '24 06:07 shashankgaurav17

I will do it as soon as possible. I expect this week. I have some other work to take care of. @shashankgaurav17

webvs2 avatar Jul 09 '24 06:07 webvs2

thanks for the ETA @webvs2 .

shashankgaurav17 avatar Jul 09 '24 09:07 shashankgaurav17

thanks for the ETA @webvs2 .

2.16.0 (lts) Publish, please try

webvs2 avatar Jul 13 '24 07:07 webvs2

Hi @webvs2, thanks for the support. What is the difference between element-ui and elementui-lts? Or Is there any doc to explain it?

EightCanisters avatar Jul 16 '24 02:07 EightCanisters

Hi @webvs2, thanks for the support. What is the difference between element-ui and elementui-lts? Or Is there any doc to explain it?

The long-term support version extended by the latest version of the current element-ui will provide a more frequent update outside of the official fix for existing issues. Address users who are still stuck in the project

webvs2 avatar Jul 16 '24 02:07 webvs2

thanks for the help @webvs2

shashankgaurav17 avatar Jul 22 '24 05:07 shashankgaurav17