Lodash version 0.2.0 builds upon the foundation laid by its predecessor, version 0.1.0, continuing its mission to provide a high-performance, drop-in replacement for Underscore.js. Both versions share the same core goal of delivering performance improvements, bug fixes, and new features to developers seeking a robust utility library. While the overarching purpose remains constant, subtle differences emerge that are interesting for developers evaluating the library.
The key distinction lies in the description, where version 0.1.0 boasts "up to 8x performance improvements." Version 0.2.0 softens this claim, generally referring to performance improvements without specifying the magnitude. This potentially signals a recalibration of performance expectations or a shift in focus towards other enhancements.
Both versions maintain a clean dependency profile, listing no required, development, or optional dependencies. Meaning developers can easily integrate lodash into their projects without worrying about dependency conflicts or bloat.
Both have the same author and repository, indicating continuity in development and maintenance. Comparing the release dates, version 0.2.0 arrived approximately one month after version 0.1.0, suggesting an active development cycle focused on rapid iteration. This continuous improvement is a positive sign for developers relying on Lodash for consistent performance and bug fixes. Lodash offers a reliable solution for developers needing advanced array, object, and string manipulation aiding in cleaner and succinct javascript projects.
All the vulnerabilities related to the version 0.2.0 of the package
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.