Lo-dash version has high severity security vulnerability

Discourse embeds a custom copy of 1.3.0 version of lo-dash.

Google’s lighthouse analysis reports 4 security vulnerabilities on my up-to-date Discourse instance, 3 of which are in lo-dash and one of which is marked as High severity.

The lighthouse report links to

Lighthouse is at
https://web.dev/measure
and the report for this site, at
https://lighthouse-dot-webdotdevsite.appspot.com/lh/html?url=https://meta.discourse.org
says under Best Practices

Includes front-end JavaScript libraries with known security vulnerabilities 3 vulnerabilities detected

Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.

Library Version Vulnerability Count Highest Severity
Lo-Dash@1.3.0 3 High
2 Likes

@joffreyjaffeux can you update lo-dash to latest version?

1 Like

@joffreyjaffeux just updated lodash and also reduced our surface area quite a lot by building a custom hand curated lodash that only includes a subset of function on offer that we use.

3 Likes

Any chance it eliminated functionality which certain plugins used?

1 Like

If you consider the huge jump in the version number, it should have changed a number of method signatures. Since it’s Lodash, developers should review the need and migrate to vanilla js whenever possible.

1 Like

Hmm - I reran the report on lighthouse (pointing at this site), and it sees lo-dash now at version 4.17.5, which is a great deal newer but still has 2 vulnerabilities including the high severity one. It looks like the fix is in 4.17.11, according to

3 Likes

Thanks for letting us know, we will get it sorted.

4 Likes

Ok I go tricked by a combination of things…

Most notably yarn global add will 4.17.5 no matter what… You have to install it from git repo:

➜  Projects yarn global add https://github.com/lodash-archive/lodash-cli
yarn global v1.16.0
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 🔨  Building fresh packages...
success Installed "lodash-cli@4.17.11" with binaries:
      - lodash
✨  Done in 5.90s.

Will be fixed by:

https://github.com/discourse/discourse/pull/7565/commits

Thanks.

6 Likes

This topic was automatically closed after 10 hours. New replies are no longer allowed.