Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit flags dep sbo@1.1.3 with high severity vulnerabilities due to lodash.set #493

Closed
0x-a6 opened this issue Apr 23, 2024 · 5 comments
Closed

npm audit flags dep sbo@1.1.3 with high severity vulnerabilities due to lodash.set #493

0x-a6 opened this issue Apr 23, 2024 · 5 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@0x-a6
Copy link

0x-a6 commented Apr 23, 2024

Describe the bug

When running npm audit with aws-iot-device-sdk-v2@1.19.3 result:

# npm audit report

lodash.set  *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix`
node_modules/lodash.set
  sbo  >=1.1.3
  Depends on vulnerable versions of lodash.set
  node_modules/sbo

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Expected Behavior

when running npm audit should result in 0 vulnerabilities

Current Behavior

2 high vulnerabilities detected

Reproduction Steps

6.5.0-27-generic kernel, 22.04.1-Ubuntu x86_64 Linux,
node v18.19.1,
npm 10.5.2
install the package
run npm audit

Possible Solution

Perhaps it's related to an old object copy issue mentioned here: lodash/lodash#5809 I don't know. But it seems like an old vulnerability for such a modern version of dependency

Additional Information/Context

No response

SDK version used

1.19.3

Environment details (OS name and version, etc.)

6.5.0-27-generic kernel, 22.04.1-Ubuntu x86_64 Linux, node v18.19.1, npm 10.5.2
@0x-a6 0x-a6 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 23, 2024
@0x-a6
Copy link
Author

0x-a6 commented Apr 23, 2024

I've also updated node to v20.12.2 (Iron) via nvm and ran 'npm update --save' & 'npm i' with the same audit results.

@0x-a6
Copy link
Author

0x-a6 commented Apr 23, 2024 

backend@1.0.0 /path/to/project/backend
└─┬ aws-iot-device-sdk-v2@1.19.3
  └─┬ 2@3.0.0
    └─┬ sbo@1.1.3
      └── lodash.set@4.3.2

Does this mean I need to raise this on the sbo repository?

@bretambrose
Copy link
Contributor

No, someone added a pointless top-level dependency.

#494 removes

@0x-a6
Copy link
Author

0x-a6 commented Apr 24, 2024

@bretambrose Thank you! Confirmed works for me.

@0x-a6 0x-a6 closed this as completed Apr 24, 2024
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bretambrose @0x-a6