connect-mongodb-session depends on vulnerable versions of archetype

[Kvikvne]

Issue Description:

I'm encountering a vulnerability issue with my Node.js project that involves the lodash.set package. Despite attempting the suggested fix via npm audit fix --force and manually addressing the vulnerable packages, the issue persists.

Problem:

The npm audit identifies a high severity vulnerability related to Prototype Pollution in lodash.set. However, the fix provided via npm audit fix --force does not resolve the vulnerability. Manually updating the affected packages also fails to mitigate the issue.

Steps Taken:

• Ran npm audit fix --force to apply the suggested fix.
• Manually updated the affected packages (lodash.set, archetype, and connect-mongodb-session) to their latest versions.

Audit Output:

lodash.set  *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/lodash.set
  archetype  >=0.8.7
  Depends on vulnerable versions of lodash.set
  node_modules/archetype
    connect-mongodb-session  >=2.3.0
    Depends on vulnerable versions of archetype
    node_modules/connect-mongodb-session

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[kevnwang]

+1 Also seeing this issue

[patrickdk77]

force fix doesn't fix it, cause it wants to downgrade you to version 2.2.0
archetype looks to be a dead package, that depends on the dead lodash.set package (8years now) and this issue was never fixed in that package, it was fixed in the main lodash package though.

changing archetype to use lodash instead of lodash.clonedeep and lodash.set would resolve the issue.

[patrickdk77]

actually here is a quickfix: npm install https://github.com/LaurentGoderre/archetype.git#fix-lodash_set-vuln

[drscottlobo]

Any chance this will be fixed?

[joshuawwright]

Can we get a fix for this?

[eviltik]

I just got an orange card during a code audit. Please handle this security point.

[rahulk3010]

Is there anything in the pipeline to get this issue fixed? This is popping up in all of our security approval requests. We will have to find alternatives if this doesn't get fixed soon enough.

Can we increase the priority for this issue?

[luckycreationsindia]

Is there anything in the pipeline to get this issue fixed? This is popping up in all of our security approval requests. We will have to find alternatives if this doesn't get fixed soon enough.

Can we increase the priority for this issue?

Have you tried the fix mentioned above? That will fix the issue:

#113 (comment)

npm install https://github.com/LaurentGoderre/archetype.git#fix-lodash_set-vuln

[rahulk3010]

Is there anything in the pipeline to get this issue fixed? This is popping up in all of our security approval requests. We will have to find alternatives if this doesn't get fixed soon enough.
Can we increase the priority for this issue?

Have you tried the fix mentioned above? That will fix the issue:

#113 (comment)

npm install https://github.com/LaurentGoderre/archetype.git#fix-lodash_set-vuln

I was looking for an official fix.

Fortunately, there is a fix provided by archetype recently with version 0.13.1,

• use lodash rather than individual packages to fix security warnings boosterfuels/archetype#28

So I could do something like this,

"overrides": {
    "archetype": "^0.13.1"
}

[thekevinhunt]

I just noticed this seems to have resolved itself on my end by automatically utilizing [email protected], so it doesn't look like we need to do anything special (unofficial or otherwise) to get around it now.