Use Lodash's _.template instead of lodash.template package
#10458
Conversation
|
If possible, we should get this fix into all the currently supported LTS versions, which I believe is back to 4.12 for security patches. |
|
@LucasHill just want to clarify the "recommended resolution" you've linked is a comment I posted, I am not associated with the Lodash project as I said there. I'm not sure where Lodash would have endorsed this as their recommended fix. |
|
@gorner sorry I completely missed that and just made some assumptions. It was a well written explanation of what is happening and why projects should stop using the individually published functions. |
|
Could you retarget the |
gorner
force-pushed
the
replace-lodash-template
branch
from
9aa7b1d
to
ecae1a0
Compare
|
@kellyselden Done |
|
Released in 4.12.3, 5.4.2, 5.8.1, and 5.9.0-beta.1. Thanks! |
edit: Resolves #10459.
CVE-2021-23337 was recently updated to reflect an issue previously patched in Lodash also being present in the
lodash.templatepackage, which from all appearances is no longer maintained. I should emphasize there's nothing I've seen to suggest there's any significant risk in terms of how ember-cli uses this package currently, but it still raises alerts on NPM/GitHub that would be best to clear if possible.This PR replaces
lodash.templatewith the overalllodashpackage – which is already a transitive dependency – and substitutes it in the two places where it was being used. I ran the existing tests for these two modules and they passed.Note that this does not yet fully removelodash.templatefrom the dependency tree; it is also a dependency ofbroccoli-concatviasourcemap-validator(v1.1.1) which I intend to raise separately shortly.Edit: On further review I noticed that the current versioning would accept bumping
fast-sourcemap-concatto v2.1.1 and that doing so would remove thelodash.templatedependency entirely.If anything else is needed to ensure this can be back-merged to the LTS versions, please let me know.