Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minor security issue #4

Open
byCedric opened this issue May 19, 2018 · 0 comments
Open

Minor security issue #4

byCedric opened this issue May 19, 2018 · 0 comments

Comments

@byCedric
Copy link

Hi! I have noticed a minor security issue, reported by npm audit, regarding a dependency of this project. It's related to an older version of lodash@<4.17.5 allowing to pollute the prototype namespace by using the merge methods. The exact security report can be found here, https://nodesecurity.io/advisories/577. I also added the full report below.

I know that this project doesn't use lodash itself, but it does include an older version of react-google-maps. You can see this in de added dependency chain. This older version of react-google-maps includes the affected lodash dependency. Luckily, react-google-maps has fixed this issue in versions starting at 8.0.0.

I would recommend update this dependency to >=8.0.0, currently they are at 9.4.5. There is only 1 breaking change when migrating from 7.3.0 to 8.0.0, one of which im not exactly sure if it affects this library (https://github.com/tomchentw/react-google-maps/blob/v8.0.0/CHANGELOG.md#breaking-changes).

Let me know if I can do anything to help resolving this, by creating a PR for example. 😄

Cheers,
Cedric

The dependency chain

<our-project>
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]

The full report by npm audit

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ expo > react-native-web-maps > react-google-maps > lodash    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@byCedric