Victory: Upgrade Lodash Version to Fix Prototype Pollution Vulnerability

Created on 20 Mar 2018  路  7Comments  路  Source: FormidableLabs/victory

Feature/Improvement Request

Checklist

  • [x] I've read through the Docs and Guides to make sure this functionality doesn't already exist

  • [x] I've searched open issues to make sure I'm not opening a duplicate issue

Description

Victory is currently using v4.17.4 of lodash.

This version of lodash has a Prototype Pollution vulnerability which is fixed in v4.17.5.
https://snyk.io/vuln/npm:lodash:20180130

This causes Victory to be flagged by vulnerability-scanning services such as Snyk.

Victory's version should be updated to avoid having applications which implement it be exposed to this vulnerability.

Most helpful comment

@aleksander351 The reason you're still seeing that error is, as you said, because it's a dependency of a dependency - cordova-android.

You'd need to raise an issue with each library that your application imports which is using the outdated dependency.

All 7 comments

@asos-robertmorgan thank you for pointing this out. I will update lodash in the next release.

fixed in the latest version.

Thanks @boygirl!

How comes that I am getting the same error, even after upgrading lodash to 4.17.10? Is it a cache issue? In my case, it is a dependency of cordova-android.

@aleksander351 The reason you're still seeing that error is, as you said, because it's a dependency of a dependency - cordova-android.

You'd need to raise an issue with each library that your application imports which is using the outdated dependency.

Here is @aleksander351 ' s ticket at Apache https://issues.apache.org/jira/browse/CB-14088

i am getting the same error even after updating lodash to the current version(4.17.10)
it is a dependency of mongoosastic ,

package : lodash
Dependency of : mongoosastic
Path: mongoosastic > elasticsearch >lodash

Was this page helpful?
0 / 5 - 0 ratings