Lodash-es provides the popular Lodash utility library in a format optimized for modern JavaScript development using ES modules, facilitating smaller bundle sizes and improved performance through tree-shaking. Between versions 4.6.1 and 4.7.0, developers saw a refinement of this already valuable tool. Both versions, licensed under the permissive MIT license, ensure developers have the freedom to use and modify the library according to their project's needs.
While the core functionality, description, and authorship remained consistent between these versions, the key difference lies in the release date and potential bug fixes or minor enhancements incorporated in the newer version. Lodash-es 4.7.0, released on March 31, 2016, followed version 4.6.1 released on March 2, 2016. Developers should prefer the later version (4.7.0) for accessing the most up-to-date and potentially more stable implementation of Lodash's functions. Using the updated version offers benefits of incorporating any bug fixes or performance tweaks made since the previous release, ensuring a smoother development experience.
For developers leveraging ES modules and seeking a comprehensive set of utility functions, Lodash-es continues to be a prime choice. Always prioritizing the newer version, unless compatibility issues are discovered, ensures you're building on the best possible foundation for your JavaScript projects. Remember to stay updated with future lodash-es upgrades for the most relevant improvements.
All the vulnerabilities related to the version 4.7.0 of the package
Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.