Lodash version 0.4.0 marks a significant step in the evolution of this popular JavaScript utility library, building upon the foundations laid by version 0.3.2. Both versions are designed as drop-in replacements for Underscore.js, aiming to provide developers with performance enhancements, bug fixes, and a wider array of features. While the core description remains consistent, detailing Lodash's purpose as a superior alternative to Underscore, key differences lie in the package's internal structure and accessibility.
A notable change is the explicit inclusion of repository details in the 0.4.0 package data, specifying the GitHub URL and repository type, improving discoverability and developer onboarding. This also contributes to better linking of the package to its source code. Also, a release date is included in the information. Version 0.3.2 lacks dependency information (dependencies, devDependencies, optionalDependencies) potentially signifying a simpler initial structure or, conversely, the absence of certain build or test-related tooling configurations present later. Most important, the newer version provides information regarding the release date.
For developers considering integrating Lodash, understanding these nuances is important. The move towards more detailed package metadata and clearer versioning practices in 0.4.0, compared to 0.3.2, reflects the project's maturation and dedication to providing a stable and well-documented library. Both versions offer a robust set of utilities, but developers may prefer the later version and its modern and more explicit metadata.
All the vulnerabilities related to the version 0.4.0 of the package
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.