Lodash version 4.17.18 represents a minor update within the stable 4.17.x series, following version 4.17.17. Both versions cater to developers seeking modular JavaScript utilities, offering a comprehensive toolkit for common programming tasks. This includes array manipulation, object handling, function composition, and more. The two versions share the same MIT license, ensuring flexibility in usage, and are maintained by John-David Dalton. Development occurs transparently on GitHub, inviting community contributions and scrutiny.
The key differences between these releases lie in the details. Version 4.17.18 includes a slightly larger unpacked size (1273063 bytes compared to 1200157) across a few more files (1046 vs 1044), likely signifying bug fixes and minor performance improvements. While the core functionality remains consistent, upgrading to 4.17.18 ensures developers benefit from the latest refinements, potentially addressing edge-case scenarios and optimizing resource usage. The newer release was published just hours after the previous one. The tarball download URLs are unique, pointing to specific package archives on the npm registry. The version number bump from 4.17.17 to 4.17.18 signals increased stability of the library so users are encouraged to upgrade to the latest version. Lodash is designed to be used in any javascript project, browser or node, so the library is compatible with most of the frontend and backend use cases and frameworks.
All the vulnerabilities related to the version 4.17.18 of the package
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.