Medium vulnerability | yargs-unparser -> lodash@4.17.15

[deleonio]

Prerequisites

• Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
• Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
• 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
• Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

The current mocha version contains a high vulnerability. That is a blocker for our CI/CD pipelines.

Vulnerability in lodash found. Lodash maintainer do nothing since more then 7 month!

Lodash shoud be removed from mocha! Issue ticket opened: yargs/yargs-unparser#54 - we will see if a new npm package will be released.

• https://www.npmjs.com/package/yargs-unparser

Topic lodash is dead?!

https://github.com/lodash/lodash/issues/4809
lodash/lodash#4745
... see issue and pr's in github

Steps to Reproduce

Findings: https://snyk.io/test/npm/mocha?tab=issues

Expected behavior: [What you expect to happen]

Actual behavior: [What actually happens]

Reproduces how often: [What percentage of the time does it reproduce?]

Versions

• The output of mocha --version and node node_modules/.bin/mocha --version:
• The output of node --version:
• Your operating system
  • name and version:
  • architecture (32 or 64-bit):
• Your shell (e.g., bash, zsh, PowerShell, cmd):
• Your browser and version (if running browser tests):
• Any third-party Mocha-related modules (and their versions):
• Any code transpiler (e.g., TypeScript, CoffeeScript, Babel) being used (and its version):

Additional Information

[andrexweb]

lodash@4.17.15
Prototype Pollution
Affecting lodash package, ALL versions

The function zipObjectDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.

Report:
https://snyk.io/vuln/SNYK-JS-LODASH-567746
GitHub PR
lodash/lodash#4759

[deleonio]

@andresvelezperez but nobody fix that . And nobody merge the pr

[deleonio]

It is possible to remove yargs-unparser.

I dont Knie, how publish a new yargs-unparser package?

[boneskull]

1. We can't trivially remove yargs-unparser.
2. zipObjectDeep, where the Lodash vulnerability lies, is not used in yargs-unparser
3. Therefore yargs-unparser is not vulnerable and this is a false positive.

This will get addressed if/when Lodash merges the PR, yargs-unparser updates, and Mocha updates to the latest yargs-unparser.

I would strongly suggest creating an exception in your CI pipeline to this particular warning.

[deleonio]

@boneskull Yes, I am agree, with you description.

But I observe that many vulnaribilities stay unfixed out there. We must reduce unmaintanaced dependencies.

[deleonio]

@Munter

• closing the old PR (fix(vulnerabilty): switch tiny dependency and use same code #4336) is okay.
• but. why you closed the issue?

Sorry?

The new PR (#4338) fixed the issue in the common way. I am happy that I could found anyone to publish a new version of yargs-unparser.