[Security] Critical Lodash Vulnerabilities via gitbook-plugin-sharing

[RJPalmer]

🐛 Bug Summary

Critical vulnerabilities were identified in lodash (≤ 4.17.20), a transitive dependency introduced through gitbook-plugin-sharing.
These include multiple Prototype Pollution and Command Injection issues with no current fix available.

---

🔍 Details

Vulnerable Package: lodash
Affected Versions: ≤ 4.17.20
Dependency Path:
[email protected] → lodash@≤4.17.20
Severity: Critical

Relevant Advisories:

• GHSA-fvqr-27wr-82fm – Prototype Pollution
• GHSA-35jh-r3h4-6jhm – Command Injection
• GHSA-4xc9-xhrj-v574 – Prototype Pollution
• GHSA-jf85-cpcp-j695 – Prototype Pollution
• GHSA-p6mc-m468-83gw – Prototype Pollution

Fix Availability:
🚫 No official fix currently available for gitbook-plugin-sharing.

---

⚠️ Impact

• Risk of arbitrary code execution or data tampering through prototype pollution.
• May compromise application security if lodash methods are invoked with untrusted input.

---

🧪 Steps to Reproduce

1. Run npm audit in the project root.
2. Observe the critical vulnerabilities reported for lodash (transitive via gitbook-plugin-sharing).

---

💡 Proposed Actions

• Explore removing or replacing gitbook-plugin-sharing with a maintained alternative.
• If replacement is not feasible:
  • Fork the plugin and upgrade lodash to ≥4.17.21.
  • Use npm overrides or Yarn resolutions to force a safe lodash version.
• Re-run npm audit after mitigation to confirm vulnerability resolution.

---

🧭 Environment

Key	Value
Node.js version	e.g., 20.10.0
npm version	e.g., 10.5.0
OS	e.g., macOS 15.6.1 / Ubuntu 22.04

---

✅ Additional Notes

Please assign this issue for tracking and remediation.
This will help maintain project security and ensure compatibility with modern dependency versions.

[sumn2u]

@RJPalmer Appreciate for creating this issue.