Lodash-es version 4.17.14 is a minor update to the popular Lodash utility library, specifically packaged and distributed as ES modules for modern JavaScript environments. Building upon the solid foundation of version 4.17.13, this release offers developers a refined and optimized experience when leveraging Lodash's extensive collection of functions for common programming tasks.
While seemingly incremental, the changes between 4.17.13 and 4.17.14 are noteworthy. The file count increases from 646 to 647, and the unpacked size sees a slight bump from 630,151 bytes to 631,273 bytes, suggesting subtle improvements, bug fixes, or the addition of a small module. Developers should expect enhanced stability and potentially minor performance gains.
Using Lodash-es allows developers to cherry-pick only the functionalities they need, resulting in smaller bundle sizes compared to importing the entire Lodash library. This contributes significantly to improved website loading times and a smoother user experience. The consistent API, extensive documentation, and wide community support make Lodash-es an excellent choice for tasks ranging from array manipulation and object handling to function composition and string operations. Version 4.17.14 maintains the library's MIT license, encouraging its free use in both personal and commercial projects. Released shortly after its predecessor, on July 10, 2019, developers can trust its maintained status providing increased confidende.
All the vulnerabilities related to the version 4.17.14 of the package
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.