mongodb-js
connect-mongodb-session depends on vulnerable versions of archetype
Issue Description:
I'm encountering a vulnerability issue with my Node.js project that involves the lodash.set package. Despite attempting the suggested fix via npm audit fix --force and manually addressing the vulnerable packages, the issue persists.
Problem:
The npm audit identifies a high severity vulnerability related to Prototype Pollution in lodash.set. However, the fix provided via npm audit fix --force does not resolve the vulnerability. Manually updating the affected packages also fails to mitigate the issue.
Steps Taken:
- Ran
npm audit fix --forceto apply the suggested fix. - Manually updated the affected packages (
lodash.set,archetype, andconnect-mongodb-session) to their latest versions.
Audit Output:
lodash.set *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/lodash.set
archetype >=0.8.7
Depends on vulnerable versions of lodash.set
node_modules/archetype
connect-mongodb-session >=2.3.0
Depends on vulnerable versions of archetype
node_modules/connect-mongodb-session
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
force fix doesn't fix it, cause it wants to downgrade you to version 2.2.0 archetype looks to be a dead package, that depends on the dead lodash.set package (8years now) and this issue was never fixed in that package, it was fixed in the main lodash package though.
changing archetype to use lodash instead of lodash.clonedeep and lodash.set would resolve the issue.
actually here is a quickfix: npm install https://github.com/LaurentGoderre/archetype.git#fix-lodash_set-vuln
I just got an orange card during a code audit. Please handle this security point.
Is there anything in the pipeline to get this issue fixed? This is popping up in all of our security approval requests. We will have to find alternatives if this doesn't get fixed soon enough.
Can we increase the priority for this issue?
Is there anything in the pipeline to get this issue fixed? This is popping up in all of our security approval requests. We will have to find alternatives if this doesn't get fixed soon enough.
Can we increase the priority for this issue?
Have you tried the fix mentioned above? That will fix the issue:
https://github.com/mongodb-js/connect-mongodb-session/issues/113#issuecomment-1940537609
npm install https://github.com/LaurentGoderre/archetype.git#fix-lodash_set-vuln
Is there anything in the pipeline to get this issue fixed? This is popping up in all of our security approval requests. We will have to find alternatives if this doesn't get fixed soon enough. Can we increase the priority for this issue?
Have you tried the fix mentioned above? That will fix the issue:
npm install https://github.com/LaurentGoderre/archetype.git#fix-lodash_set-vuln
I was looking for an official fix.
Fortunately, there is a fix provided by archetype recently with version 0.13.1,
- https://github.com/boosterfuels/archetype/pull/28
So I could do something like this,
"overrides": {
"archetype": "^0.13.1"
}
I just noticed this seems to have resolved itself on my end by automatically utilizing [email protected], so it doesn't look like we need to do anything special (unofficial or otherwise) to get around it now.
