fix: prototype pollution in _.defaultsDeep #4336

Kirill89 · 2019-06-19T11:25:24Z

The PR is fixing a Prototype Pollution vulnerability in _.defaultsDeep.

You can see details about similar vulnerability here: https://snyk.io/vuln/SNYK-JS-LODASH-73638

jsf-clabot · 2019-06-19T11:25:27Z

All committers have signed the CLA.

jdalton · 2019-06-24T16:17:59Z

Thank you @Kirill89!

falsyvalues · 2019-07-10T07:17:54Z

Lodash v4.17.13 was released yesterday.

lodash/lodash#4336

🚨 [security] Update lodash: 4.17.11 → 4.17.14 (patch) Advisory: CVE-2019-10744 Disclosed: July 10, 2019 URL: lodash/lodash#4336

fixed CVE-2019-10744 lodash/lodash#4336

Update `lodash.defaultsdeep` to version `^4.6.1`. This is causing a high severity vulnerability in our repo. Fixed in lodash/lodash#4336.

lodash/lodash#4336

Update `lodash.defaultsdeep` to version `^4.6.1`. This is causing a high severity vulnerability in our repo. Fixed in lodash/lodash#4336.

see lodash/lodash#4336

Ref: lodash/lodash#4336 Ref: https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/ Ref: mailgun/mailgun.js#48

Update lodash.merge to ^4.6.2 (from ^4.6.0) https://github.com/lodash/lodash/issues/4348 lodash/lodash#4336

…y a development dependency, so no urgent need to publish, just for developers (lodash/lodash#4336).

…r developers (lodash/lodash#4336).

See: - lodash/lodash#4336 - https://snyk.io/vuln/SNYK-JS-LODASH-73638

CVE-2019-10744 lodash/lodash#4336 This is not critical since we only use lodash in development

fix: prototype pollution in _.defaultsDeep

a01e4fa

Kirill89 mentioned this pull request Jun 19, 2019

fix: prototype pollution in several npm packages #4337

Merged

jdalton added the bug label Jun 24, 2019

jdalton merged commit 1f8ea07 into lodash:4.17.12-pre Jun 24, 2019

ghost mentioned this pull request Jul 3, 2019

JS: bump vulnerable lodash version for prototype pollution github/codeql#1540

Merged

willdurand mentioned this pull request Jul 3, 2019

Temporarily ignore lodash prototype pollution mozilla/addons-code-manager#904

Merged

benjie mentioned this pull request Jul 4, 2019

[Snyk] Fix for 1 vulnerable dependencies graphile/crystal#1114

Closed

spencern mentioned this pull request Jul 5, 2019

chore: snyk ignore lodash reactioncommerce/reaction#5281

Merged

tylerlevine mentioned this pull request Jul 10, 2019

CT-625: Upgrade lodash packages for CVE-2019-10744 fix BitGo/BitGoJS#425

Merged

kocisov added a commit to kocisov/clai that referenced this pull request Jul 10, 2019

upgrade lodash

be13d34

lodash/lodash#4336

mearns added a commit to mearns/tracking-promise that referenced this pull request Jul 11, 2019

Update lodash for prototype pollution vulnerability

7ca8be2

lodash/lodash#4336

mileslane mentioned this pull request Jul 11, 2019

Dependency needs updating. CVE-2019-10744 - high severity. Patched version: lodash.merge@^4.6.2 broccolijs/broccoli-concat#141

Closed

MichaelWalker-git mentioned this pull request Jul 11, 2019

Fix lodash vulnerability MichaelWalker-git/WeatherForecaster#6

Merged

adamansky added a commit to Softmotions/ejdb that referenced this pull request Jul 11, 2019

* ejdb2_node (1.0.4)

c221086

fixed CVE-2019-10744 lodash/lodash#4336

blundin added a commit to blundin/brianlundin.com that referenced this pull request Jul 11, 2019

fixing security vulnerability: lodash/lodash#4336

282e4df

emizzle pushed a commit to emizzle/vue-cli that referenced this pull request Jul 11, 2019

fix(@vue/cli-service): Update lodash.defaultsdeep

17845f1

Update `lodash.defaultsdeep` to version `^4.6.1`. This is causing a high severity vulnerability in our repo. Fixed in lodash/lodash#4336.

emizzle pushed a commit to emizzle/vue-cli that referenced this pull request Jul 11, 2019

fix(@vue/cli-service): Update lodash.defaultsdeep

ed34b96

Update `lodash.defaultsdeep` to version `^4.6.1`. This is causing a high severity vulnerability in our repo. Fixed in lodash/lodash#4336.

emizzle mentioned this pull request Jul 11, 2019

fix(@vue/cli-service): Update lodash.defaultsdeep vuejs/vue-cli#4273

Merged

danwild added a commit to onaci/leaflet-velocity that referenced this pull request Jul 11, 2019

security patches for build deps

0c333d1

lodash/lodash#4336

emizzle pushed a commit to emizzle/vue-cli that referenced this pull request Jul 11, 2019

fix(@vue/cli-service): Update lodash.defaultsdeep

bb51a67

Update `lodash.defaultsdeep` to version `^4.6.1`. This is causing a high severity vulnerability in our repo. Fixed in lodash/lodash#4336.

owenvoke mentioned this pull request Jul 11, 2019

deps: update lodash to fix prototype pollution tldr-pages/tldr-node-client#271

Merged

4 tasks

foosinn added a commit to bitsbeats/hub that referenced this pull request Jul 11, 2019

security fix CVE-2019-10744

35c1d26

see lodash/lodash#4336

evq mentioned this pull request Jul 11, 2019

bump lodash.merge uphold/uphold-sdk-javascript#25

Merged

lucasfeliciano mentioned this pull request Jul 11, 2019

[Security] Update lodash jaredpalmer/formik#1668

Merged

karlhorky mentioned this pull request Jul 11, 2019

Upgrade Lodash dependencies to latest mailgun/mailgun.js#48

Closed

andrew-jung added a commit to sdelements/material-ui that referenced this pull request Jul 15, 2019

Update package.json

f2ae5bf

Update lodash.merge to ^4.6.2 (from ^4.6.0) https://github.com/lodash/lodash/issues/4348 lodash/lodash#4336

andrew-jung mentioned this pull request Jul 15, 2019

Update package.json sdelements/material-ui#5

Closed

dannypaz mentioned this pull request Jul 15, 2019

fixed lodash vuln for lnd-engine sparkswap/lnd-engine#255

Merged

ricmoo added a commit to ethers-io/ethers.js that referenced this pull request Jul 15, 2019

Updated package-lock for lodash security advisory; the package is onl…

d719064

…y a development dependency, so no urgent need to publish, just for developers (lodash/lodash#4336).

ricmoo added a commit to ricmoo/Takoyaki that referenced this pull request Jul 15, 2019

Updated security advisory; only devDependency, so not urgent, just fo…

888941f

…r developers (lodash/lodash#4336).

pastelmind mentioned this pull request Jul 16, 2019

Upgrade to async 2.6.3 to fix upstream vulnerability in lodash jrit/web-resource-inliner#47

Merged

kenshin-samourai mentioned this pull request Jul 16, 2019

update nodejs packages Samourai-Wallet/samourai-dojo#41

Merged

brophdawg11 added a commit to brophdawg11/state-machine that referenced this pull request Jul 16, 2019

Pin lodash to >=4.17.13 for security reasons

26e8d70

See: - lodash/lodash#4336 - https://snyk.io/vuln/SNYK-JS-LODASH-73638

radu-matei mentioned this pull request Jul 17, 2019

Add resolution for NPM package lodash due to security vulnerability brigadecore/brigade#951

Merged

kennyadsl added a commit to nebulab/solidus that referenced this pull request Jul 17, 2019

Bump lodash for a security vulnerability

3cca7ff

CVE-2019-10744 lodash/lodash#4336 This is not critical since we only use lodash in development

kennyadsl mentioned this pull request Jul 17, 2019

[Guides] Bump lodash for a security vulnerability solidusio/solidus#3273

Merged

2 tasks

lodash locked and limited conversation to collaborators Jul 17, 2019

ozgurgunes added a commit to ozgurgunes/Sketch-Case-Converter that referenced this pull request Aug 1, 2019

Fixes lodash/lodash#4336

9ef1100

ozgurgunes added a commit to ozgurgunes/Sketch-Symbol-States that referenced this pull request Aug 1, 2019

fixes lodash/lodash#4336

6b66a37

ozgurgunes added a commit to ozgurgunes/Sketch-Overrides-Manager that referenced this pull request Aug 1, 2019

fixes lodash/lodash#4336

105d9f3

ozgurgunes added a commit to ozgurgunes/Sketch-Layer-Comps that referenced this pull request Aug 1, 2019

fixes lodash/lodash#4336

1bd0cce

ozgurgunes added a commit to ozgurgunes/Sketch-Turkish-Data that referenced this pull request Aug 1, 2019

fixes lodash/lodash#4336

3258531

egalano added a commit to INFURA/devp2p-network that referenced this pull request Aug 6, 2019

Lodash sec fix lodash/lodash#4336

8efb124

egalano added a commit to INFURA/devp2p-network that referenced this pull request Aug 6, 2019

Lodash sec fix lodash/lodash#4336 (#14)

940b955

lodash deleted a comment from Kirill89 Nov 16, 2021

lodash deleted a comment from KrayzeeKev Nov 16, 2021

lodash deleted a comment from MRhyne1931 Nov 16, 2021

lodash deleted a comment from luke-perry Nov 16, 2021

lodash deleted a comment from jagij Nov 16, 2021

lodash deleted a comment from ChristianMurphy Nov 16, 2021

lodash deleted a comment from patrick-ausderau Nov 16, 2021

lodash deleted a comment from dayknchung Nov 16, 2021

jdalton added issue bankruptcy Closing the issue/PR to start fresh and removed issue bankruptcy Closing the issue/PR to start fresh labels Sep 16, 2023

TartarusDevtech added a commit to TartarusDevtech/Devp2pNetwork that referenced this pull request May 24, 2025

Lodash sec fix lodash/lodash#4336 (#14)

9a84688

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: prototype pollution in _.defaultsDeep #4336

fix: prototype pollution in _.defaultsDeep #4336

Uh oh!

Kirill89 commented Jun 19, 2019

Uh oh!

jsf-clabot commented Jun 19, 2019 •

edited

Loading

Uh oh!

jdalton commented Jun 24, 2019

Uh oh!

falsyvalues commented Jul 10, 2019

Uh oh!

Uh oh!

fix: prototype pollution in _.defaultsDeep #4336

fix: prototype pollution in _.defaultsDeep #4336

Uh oh!

Conversation

Kirill89 commented Jun 19, 2019

Uh oh!

jsf-clabot commented Jun 19, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jdalton commented Jun 24, 2019

Uh oh!

falsyvalues commented Jul 10, 2019

Uh oh!

Uh oh!

jsf-clabot commented Jun 19, 2019 •

edited

Loading