bodybuilder icon indicating copy to clipboard operation
bodybuilder copied to clipboard

Published 20 hours ago verified publisher icon danpaz

Dependency lodash.set has Prototype Pollution vulnerability

Open MayGo opened this issue 1 year ago • 2 comments

https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032

I advise replacing that dependency.

MayGo avatar Aug 25 '22 08:08 MayGo

There is no fixed version for lodash.set.

We use lodash.set in several places in the code. Do you have any suggested alternatives by chance?

danpaz avatar Aug 26 '22 14:08 danpaz

I just learned about https://www.npmjs.com/package/wild-wild-path, perhaps this has too much functionality. Or lodash itself and depend on tree shaking to only package used functions.

MayGo avatar Aug 26 '22 14:08 MayGo

Hi. I opened a pull request for this matter. Please consider checking it out. It's a simple change. https://github.com/danpaz/bodybuilder/pull/309

staxie avatar Feb 27 '23 09:02 staxie

Hello, I also opened a pull request for this issue. #315 . It would be great if you could have a look.

StefOodle avatar Jul 03 '23 08:07 StefOodle

Thanks for solving this @StefOodle. Could we get a version with the fix published onto npm please @danpaz?

remyoudemans avatar Jul 19 '23 15:07 remyoudemans

Yes just published as 2.5.1. This reminded me publishing from Travis CI is still broken https://github.com/danpaz/bodybuilder/issues/297 😞

danpaz avatar Jul 19 '23 15:07 danpaz