fix: update lodash to 4.17.11 to fix vulenrabilities #473
Conversation
|
The build isn't passing. I will take a look in the morning |
|
Hi George! Thanks for the security patch. I think your commit should start with Could you explain why you switched to a full lodash import everywhere, instead of partial (only what's actually used) imports? As far as I can tell, the vulnerability only exists in 3 methods of lodash, right?
I'll try to do a full security check this evening (CEST) too 😄 |
|
Hey Cedric. If lodash has to be upgraded for some of the libraries we might as well upgrade the rest, I believe. |
|
Ah I see, that's a really good explanation 😄 So this PR is only for updating Lodash across all packages right? (And with that, fix some security issues related to lodash too) For @marionebl, this is what they say in their Roadmap.
|
|
Correct, all I'm doing is bumping versions and changing import paths. I'm having issues with |
|
I will take a look this evening (CEST) 😄 I'll get back at you about |
|
I fond the issue. I had some stale lodash. packages and tests were running because of that. Paths are wrong so I will be updating the request later today. |
|
Hi George! Great job in finding out about the issue 😄 Do you still need some help with this PR? I did a full audit for all other (sub)packages and created a PR to fix 2/3 issues. Thanks for helping keep Commitlint safe! 😄 |
|
Sorry didn't have time yesterday. I will be taking a look in a bit and committing the fixes on my side. |
|
No worries, whenever you have time! If you are stuck or want someone to check, let me know 😄 |
|
The build is crashing due to |
@commitlint/prompt/package.json
Outdated
| @@ -72,6 +72,7 @@ | |||
| "@commitlint/load": "^7.2.1", | |||
| "babel-runtime": "^6.23.0", | |||
| "chalk": "^2.0.0", | |||
| "lodash": "^4.17.11", | |||
| "lodash.camelcase": "4.3.0", | |||
There was a problem hiding this comment.
Also some old lodash modules right? 😄
| @@ -75,6 +75,7 @@ | |||
| }, | |||
| "dependencies": { | |||
| "babel-runtime": "6.26.0", | |||
| "lodash": "^4.17.11", | |||
| "lodash.merge": "4.6.1", | |||
There was a problem hiding this comment.
Let's burn the lodash modules! 😬
@commitlint/format/package.json
Outdated
| @@ -73,6 +73,7 @@ | |||
| }, | |||
| "dependencies": { | |||
| "babel-runtime": "^6.23.0", | |||
| "chalk": "^2.0.1" | |||
| "chalk": "^2.0.1", | |||
| "lodash": "^4.17.11" | |||
There was a problem hiding this comment.
In this package, lodash is used as devdependency. I think it's best to keep it there (and remove the old lodash.includes of course 😄
@commitlint/rules/package.json
Outdated
| @@ -78,6 +78,7 @@ | |||
| "@commitlint/ensure": "^7.2.0", | |||
| "@commitlint/message": "^7.1.2", | |||
| "@commitlint/to-lines": "^7.1.2", | |||
| "babel-runtime": "^6.23.0" | |||
| "babel-runtime": "^6.23.0", | |||
| "lodash": "^4.17.11" | |||
There was a problem hiding this comment.
Same here, I found lodash.values in the dev-dependencies. I would say, remove that one and move lodash to devdependencies 😄
|
Sorry, it took me a while! I'm not sure why it's not popping up in my PR. Maybe xo only checks edited packages. I think this is something for @marionebl, we either need to ignore the function with xo or fix it. But fixing it requires a lot of refactoring 😅 Let's leave it like this until he comes back from his holiday. Meanwhile, I also double checked your changes and started a review. Found some old modules in some package files, if you can clean it up we only have to fix the xo issue then! 😄 It will be easier for Mario to check and take action then 😄 Again, thanks a lot! <3 |
|
I think the packages look good at the moment but the build is failing due to the commitlint check and the xo check. I'm happy to close this request and create a new one if needed but I'm not sure if that is going to solve the xo checks. |
marionebl
changed the title
|
Follow up at #497, thank you folks! |
Update lodash to fix vulnerabilities.
Description
Updated
lodashto 4.17.11 to fix proto buffer vulnerabilities.I had issues committing due to
npx xothrowing errors for unrelated to the changes issues so I used--no-verifyon commit.Motivation and Context
Usage examples
How Has This Been Tested?
Ran tests. There were 4 tests failing when the branch was checked out and they continue to fail. All other tests pass after lodash import paths were refactored.
Types of changes
Checklist: