Vulnerabilities introduced by package lodash

[paimon0715]

Hi, @thomseddon @mjsalinger, there are three vulnerabilities introduced in your package oauth2-server:

Issue Description

Vulnerabilities (2 high and 1 medium severity) SNYK-JS-LODASH-590103, CVE-2021-23337 and CVE-2020-28500 are detected in package [email protected] which is directly referenced by [email protected]. We noticed that such a vulnerability has been removed since [email protected].

However, oauth2-server's popular previous version [email protected] (11,057 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 138 downstream projects, e.g., ant-nodejs-kit 1.1.119, openiap 1.2.3, qms-nestjs 1.0.40, spich 6.0.1, @mobilejazz/harmony-nest 0.8.2, @jeff-tian/[email protected], etc.).
As such, issues SNYK-JS-LODASH-590103, CVE-2021-23337 and CVE-2020-28500 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade oauth2-server from version 3.1.1 to (>=4.0.0-dev.1). For instance, [email protected] is introduced into the above projects via the following package dependency paths:
(1)@jeff-tian/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
......

The projects such as egg-oauth2-server, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade oauth2-server nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package [email protected]?

Suggested Solution

Since these inactive projects set a version constaint 3.1.* for oauth2-server on the above vulnerable dependency paths, if oauth2-server removes the vulnerabilities from 3.1.1 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the 138 affected downstream projects.

In [email protected], you can kindly try to perform the following upgrade(not crossing major version):
lodash 4.17.19 ➔ 4.17.21;
Note:
[email protected](>=4.17.21) has fixed the vulnerabilities (SNYK-JS-LODASH-590103, CVE-2021-23337 and CVE-2020-28500)

Thank you for your help.

Best regards,
Paimon

[mayrbenjamin92]

Do we know when this will be fixed?

[jackhollowaypersonal]

Any update guys?

[orgads]

This was already fixed 4 months ago, but was not released yet.

[HappyZombies]

Hello, due to this project appearing to be dead and no maintainers responding, I went ahead and forked the project under a new organization, and will continue the work over there. https://github.com/node-oauth/node-oauth2-server

Feel free to move over there to further the discussion

[lancejpollard]

Ping? Going to use the fork for now, thank you!

[levpachmanov]

Hey @paimon0715 @lancejpollard,
We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an lodash 4.17.15-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.
If relevant, check out our GitHub repo if you wish to learn more, or start using our app.
Please feel free to reach us at [email protected] if you have any requests/questions.