Lodash-es version 4.17.12 represents a subtle but notable update to the popular utility library, compared to its predecessor, version 4.17.11. Both versions provide Lodash's extensive toolkit of functions, optimized for use within ES module environments, catering to modern JavaScript development workflows. Core functionalities like array manipulation, object handling, and function utilities remain consistent.
However, examining the metadata reveals nuanced differences. Version 4.17.12, released in July 2019, includes a slightly larger unpacked size (630120 bytes) compared to version 4.17.11 (628240 bytes) released in September 2018, along with a minor increase of one file to reach an amount of 646 files. This suggests code adjustments or additions, possibly bug fixes, or performance enhancements. Although the description remains identical, the author information has some slight changes. While the email and name of the author are the same, the url is missing in version 4.17.12, and present in version 4.17.11.
For developers, this incremental update likely means improved stability and potentially optimized performance without fundamentally altering the API. If you're already using lodash-es, upgrading to 4.17.12 is advisable for bug fixes and general improvements. Checking the Lodash changelog on their GitHub repository is always recommended for a complete understanding of the exact changes introduced in this specific version and how they might impact your code. Lodash-es remains a valuable asset for streamlining JavaScript development.
All the vulnerabilities related to the version 4.17.12 of the package
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.