[Snyk] Fix for 1 vulnerable dependencies

[snyk-bot]

Description

This PR fixes one or more vulnerable packages in the npm dependencies of this project.
See the Snyk test report for more details.

Snyk Project: request/promise-core:package.json

Snyk Organization: analog-nico

Changes included in this PR

• A Snyk policy (.snyk) file, with updated settings.

Vulnerabilities that will be fixed

With a Snyk patch:

• SNYK-JS-LODASH-450202

You can read more about Snyk's upgrade and patch logic in Snyk's documentation.

Check the changes in this PR to ensure they won't cause issues with your project.

Stay secure,
The Snyk team

Note: You are seeing this because you or someone else with access to this repository has authorised Snyk to open Fix PRs. To review the settings for this Snyk project please go to the project settings page.

[coveralls]

Coverage remained the same at 100.0% when pulling f0c73e2 on snyk-fix-6a3b27a248dbff6d4e135fece256b6e9 into 7c4f307 on master.

[binarymist]

Hi There... Any chance of bumping the lodash version to rule out the vulnerability and re-publishing? Although I "think" according to semver it shouldn't matter?

[daniel-nagy]

The lodash update that patched this (v4.17.12) was published 4 days ago. This PR was created 8 days ago. It looks like Snyk was applying its own security patch because there was no version of lodash to update to at the time. Not sure how Synk works but I would say it is best to just close this PR and open a new PR to update lodash.

[daniel-nagy]

This was helpful https://snyk.io/docs/fixing-vulnerabilities/

When you choose to use a patch to fix a vulnerability, snyk is added as a dependency, a .snyk file is created which contains the list of patches to apply and the snyk protect command postinstall hook is added, and it is this command that is responsible for applying the patches.

I was wondering how this would protect someone installing this package. A post install hook that applies the patch makes sense but this didn't create a post-install hook, instead it used the pre-publish hook. Maybe Snyk was able to determine that lodash was bundled as part of a build step? If that is the case then lodash should be a dev-dependency not a dependency.

[binarymist]

We don't have a package-lock.json and according to semver in our package.json, anyone installing the promise-core package will get the patched lowdash anyway, so yeah, I see no reason why this PR can't be cosed.

As far as I'm aware, Snyk only looks at the package manifest.

[daniel-nagy]

If someone installed this dependency, or a dependency with this dependency, more than 5 days ago then they have the bad version of lodash in their lock file. By not updating the version of lodash you’re telling package managers that it is “ok” to install the bad version of lodash. From my experience I would not rely on sem-versioning at all.

[binarymist]

That's a good point @daniel-nagy

[analog-nico]

I just bumped lodash to ^4.17.15 without applying the snyk additions and will roll it out to the main request-promise packages shortly.