Avoiding Lodash version disclosure #5829
Comments
|
If you are in a situation, where you can read the version via devtools, you already have code execution privileges. So it makes absolutely no sense to try to hide the version of a client-side library. |
|
This issue is causing some security concerns in my organization is someone able to looking into it? |
|
Tell whoever raised those concerns that it's trivial to determine a library version anyway... |
|
The last vestige of this issue was removed from the main branch of Unfortunately, that commit wasn't included in the 4.17.21 release that went out the following month, and there hasn't been a subsequent release of Fortunately, this is not actually a significant security issue. Your security scanners and information security officers are participating in a false positive race to the bottom. Sure, |
|
This vulnerability might be caused because the lodash object is exported globally and it can be accessed directly using You could get rid of this vulnerability issue by following the solution suggested here - #2671 (comment) Link to the solution: webpack/webpack#3017 (comment) |
As documented at https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/version-disclosure-lodash/, Lodash makes its version accessible to the user through a browser's developer tools.
This is reproducible by adding a dependency on Lodash 4.17.21 in a skeleton Angular project.
I realize the difficulty in redacting this information since Lodash is a client-side Javascript utility library, but is there any way to configure Lodash to redact this information, or is it possible that it is not required and can be removed from Lodash?
How to test it?
Use console.log(.templateSettings.imports..templateSettings.imports._.VERSION); on the browser console
The text was updated successfully, but these errors were encountered: