Vulnerability classified as "high" severity in lodash.set dependency

[shaunek]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

Snyk has recently flagged a high severity vuln in the lodash.set dependency. Here is Snyk's security bulletin:
https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032

The original HackerOne report (https://hackerone.com/reports/864701), seems to indicate that the vulnerability was patched in the main lodash package. However it seems that the lodash.set package hasn't been updated in 5 years so it doesn't have the patch.

It may be a good idea change @nestjs/config to rely on the full lodash package or use some other package. This page indicates that the per-method packages are a thing of the past and won't be maintained: https://lodash.com/per-method-packages

Minimum reproduction code

https://github.com/shaunek/nestjs-config-lodash.set-vuln

Steps to reproduce

• Clone demo repo https://github.com/shaunek/nestjs-config-lodash.set-vuln
• Install dependecies with npm install
  • Note that the only dependency is the @nestjs/config package
• Run index.js with node index.js

Results show that the lodash.set package contains the Prototype Pollution vulnerability

Expected behavior

When the javascript code set({}, "__proto__[test]", "456"); is called it should not pollute the Object.prototype

Package version

1.1.5

NestJS version

n/a

Node.js version

v16.13.1

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

No response

[micalevisk]

It may be a good idea change @nestjs/config to rely on the full lodash package or use some other package

now:

then:

---

Not sure how important is that, tho.

[shaunek]

Agreed that the extra KBs and download time are downsides to using the full lodash. The problem, as I see it, is that the lodash.set/lodash.get/lodash.has packages are no longer maintained and will not be getting any security patches going forward. And unmaintained open source dependencies aren't really acceptable to most companies such as mine.

Some options in my view are

1. Use full lodash
2. Use custom functions which replicate the set/get methods of lodash
3. Use alternative packages that have the same functionality as lodash set/get. For example https://www.npmjs.com/package/dset and https://www.npmjs.com/package/dlv could be alternatives that are small enough
4. Change functionality so that the special dot notation provided by lodash get/set is no longer an option

The easiest to do seems option 1. To me the second most appealing would be option 3, but I'm not sure what appetite the nestjs org has for depending on relatively new packages.

[micalevisk]

yeah, at the moment 1 is the safest & easiest.

---

I didn't find any alternative to lodash.has besides this "native" one: https://github.com/you-dont-need/You-Dont-Need-Lodash-Underscore#_has that might not be a drop-in replacement

[kamilmysliwiec]

Let's track this here #792