Using Lodash introduces a vulnerability

[NicolasMassart]

I have Snyk check on my project and it reported an issue with this plugin using Lodash (as a dependency of jsdom).

MEDIUM SEVERITY EXPLOIT: PROOF OF CONCEPT
Prototype Pollution
Vulnerable module: lodash
Introduced through: typedoc-plugin-extras@1.1.4
Exploit maturity: Proof of concept
Reachability: No info
Detailed paths and remediation
Introduced through: pegasys-orchestrate@2.2.0 › typedoc-plugin-extras@1.1.4 › jsdom@16.2.2 › request-promise-native@1.0.8 › request-promise-core@1.1.3 › lodash@4.17.15
Remediation: No remediation path available.
Overview
lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

Affected versions of this package are vulnerable to Prototype Pollution. The function zipObjectDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

[Drarig29]

Thank you for pointing that.

The maintainers of lodash seem not to be acting on this vulnerability 😥

I searched for an alternative and found cheerio but it also uses lodash.

I'll consider writing my own solution to my needs, which are simply:

• find <head> tag
• find <p> tag with a specific parent (div.container.tsd-generator > p)
• append to a found tag's innerHTML

[Drarig29]

I dropped js-dom dependency (and thus lodash) in the latest patch.

Now, I use String.prototype.replace() to replace in page.contents. So it has exactly the same behavior as before but there is no overkill logic with selectors anymore.

I stopped using the div.container.tsd-generator > p selector. Now, I find the text "Generated using TypeDoc" inside a <p> tag and add just before the end of the tag.

This text can't be changed so I view it as a constant. It can only be suppressed with hideGenerator. In the latter case, date and/or time won't be added (just as before).