Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High Prototype Pollution risk caused by lodash.omitby/4.6.0 scanned by BlackDuck for @pact-foundation/pact@^12.1.2 #1169

Closed
3 of 5 tasks
Rufei77 opened this issue Jan 23, 2024 · 3 comments
Closed
3 of 5 tasks

High Prototype Pollution risk caused by lodash.omitby/4.6.0 scanned by BlackDuck for @pact-foundation/pact@^12.1.2 #1169

Rufei77 opened this issue Jan 23, 2024 · 3 comments
Labels
awaiting feedback Awaiting Feedback from OP bug Indicates an unexpected problem or unintended behavior triage This issue is yet to be triaged by a maintainer

Comments

@Rufei77
Copy link

Rufei77 commented Jan 23, 2024
edited
Loading

Thank you for reporting a bug! We appreciate it very much. Issues are a big input into the priorities for Pact-JS development

All italic text in this template is safe to remove before submitting

Thanks again!

Software versions

Please provide at least OS and version of pact-js

  • OS: Mac OS
  • Consumer Pact library: @pact-foundation/pact@^12.1.2
  • Provider Pact library: @pact-foundation/pact@^12.1.2
  • Node Version: v 18.xx

Issue Checklist

Please confirm the following:

  • I have upgraded to the latest
  • I have the read the FAQs in the Readme
  • I have triple checked, that there are no unhandled promises in my code and have read the section on intermittent test failures
  • I have set my log level to debug and attached a log file showing the complete request/response cycle
  • For bonus points and virtual high fives, I have created a reproduceable git repository (see below) to illustrate the problem

Expected behaviour

No vulnerabilities reported :)

Actual behaviour

Blackduck scanner report a HIGH severity alert (CVE-2019-10744 for a dependency (lodash.omitby/4.6.0) used by pact.
@Rufei77 Rufei77 added bug Indicates an unexpected problem or unintended behavior triage This issue is yet to be triaged by a maintainer labels Jan 23, 2024
@mefellows
Copy link
Member

Thanks, are you interested in fixing this? Either by upgrading the dependency or replacing omitBy with another function?

FWIW you should consider and discuss whether or not a developer dependency is really exploitable and a HIGH severity risk (I bet it isn't).

@mefellows mefellows added the awaiting feedback Awaiting Feedback from OP label Jan 23, 2024
@yukun-han yukun-han mentioned this issue Feb 3, 2024
Merged
3 tasks
@yukun-han
Copy link
Contributor

Hi @mefellows , I am one of @Rufei77 's colleagues and I'm here to help her raise a PR to fix this issue. The PR #1175 is already linked here. Please take your time to have a look and feel free to give feedbacks.

Further to discuss, lodash is not actively maintained now. As times going, more and more security risks would possibly be reported by vulnerability scanning tools like Snyk, BlackDuck and no one would go to take care of them! In my perspective, it is worthwhile to retire all lodash dependencies and replace with alternatives. I noticed that ramda is also listed in dependencies. It is a good choice.

@mefellows
Copy link
Member

I think this may be closed now that the other item has been merged and released - thanks for the PR! Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting feedback Awaiting Feedback from OP bug Indicates an unexpected problem or unintended behavior triage This issue is yet to be triaged by a maintainer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mefellows @Rufei77 @yukun-han