Lodash version 1.3.1 represents a minor iterative improvement over its predecessor, version 1.3.0, both maintaining the core essence of providing utility functions for JavaScript developers. This library is designed to enhance code consistency, customization, and overall performance. Both versions are released under the MIT license, ensuring flexibility for developers to integrate Lodash into various projects. Both versions share the same author, John-David Dalton.
The key difference lies in underlying bug fixes and small adjustments implemented to refine the existing functionality. Developers will appreciate the subtle enhancements aimed at optimizing performance and addressing potential edge cases. Although the fundamental API remains consistent with version 1.3.0, migrating to 1.3.1 offers the advantage of a more stable and polished experience. Because the release dates are very close one to the other, it is probably a patch release based on the fast feedback from the community.
Given Lodash's focus on utility functions, both versions are valuable for tasks like array manipulation, object property access, and function binding simplifying complex operations. Developers who seek stability and reliability in their projects should opt for version 1.3.1 for its refined improvements, while those already using 1.3.0 and not experiencing any issues might consider the upgrade beneficial for staying current with the latest refinements. Both versions draw from the same GitHub repository, indicating a shared commitment to quality and community collaboration.
All the vulnerabilities related to the version 1.3.1 of the package
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.