Angular-tree-component: NVD CVE-2020-8203 (BDSA-2020-1674) Issue with lodash-es 4.17.15

Created on 21 Oct 2020  路  8Comments  路  Source: CirclonGroup/angular-tree-component

Please upgrade to lodash-es 4.17.20

https://www.openhub.net/p/616506

All 8 comments

@tobiasengelhardt This is a high priority security issue. Please comment. angular tree component is using vulnerable lodash version. Thanks

@somuda86 It's sadly not an easy update. There is no lodash-es 4.17.20, we are using the most recent version. They seem to have issues publishing a new version. I hope they fix this soon.

What a pity., this issue will prevent the usage of this component in production environments until lodash fixes the issue.
Do you have an estimate of the work needed to fix this project when the lodash version is updated to 4.17.20? any known breaking functionalities?

Looking at the changelog of lodash they did only bugfixes. If they finally publish 4.17.20 it should be just a simple package update.

Because there seems to be no real progress regarding the release of a new lodash version we started looking into removing lodash as a dependency. The pr/remove-lodash branch has lodash removed and all our build tests are passing (feel we to look, leave feedback and input). This is still a bigger change so we will do some more testing to see if it everything is working correctly. Hopefully there will be a new version released within the next two weeks.
If lodash release a new version before we are done testing there will of course be a new version with the updated lodash version asap.

Sure! i'd be glad to help

@tobiasengelhardt 4.17.20.has been released. But my 2 cents on removing that dependency

Fix is released in 10.0.2. We will continue working on removing lodash.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Shadowlauch picture Shadowlauch  路  5Comments

mmallit picture mmallit  路  5Comments

hipresario picture hipresario  路  4Comments

Roman-Simik picture Roman-Simik  路  5Comments

CC84 picture CC84  路  4Comments