Update vulnerable lodash dependency in eslint-plugin-mozilla
Categories
(Developer Infrastructure :: Lint and Formatting, defect)
Tracking
(firefox-esr60 wontfix, firefox-esr68 fixed, firefox68 wontfix, firefox69 fixed, firefox70 fixed)
People
(Reporter: cr, Assigned: standard8)
References
Details
(Keywords: sec-other, Whiteboard: [third-party-lib-testing])
Attachments
(2 files)
The lodash team released a security update for a critical prototype pollution vulnerability that can lead to remote code execution.
- https://github.com/lodash/lodash/issues/4348
- https://github.com/lodash/lodash/pull/4336
- https://github.com/lodash/lodash/pull/4355
Only the latest release of lodash is not vulnerable. Please update dependencies to the latest release version, or at least verify that our code does not expose the vulnerability to untrusted input. (If not, I'd advise to update anyway.)
The non-vulnerable release versions are:
- lodash 4.17.14
- lodash.merge 4.6.2
- lodash.template 4.5.0
Any older releases contain the vulnerable code.
I'm assuming that this lodash code is not actually shipping. Please report back here if it is.
Reporter | ||
Updated•6 years ago
|
Reporter | ||
Updated•6 years ago
|
Assignee | ||
Comment 1•6 years ago
|
||
I can take this. Shouldn't be a big issue to update. Note this is developer-only stuff.
I'll update the package lists for eslint-plugin-mozilla and the top-level, as it is easier to do them at the same time.
Assignee | ||
Comment 2•6 years ago
|
||
(In reply to Christiane Ruetten [:cr] from comment #0)
This link points to gfx. I assume it was meant to point to eslint-plugin-mozilla.
Assignee | ||
Comment 3•6 years ago
|
||
Assignee | ||
Comment 4•6 years ago
|
||
Christiane, Presumably as this relates to developer only tooling, we can land it any time we need to, without requesting security approval?
Should we land through autoland, or direct on central? I guess we want this on branches as well?
Reporter | ||
Comment 5•6 years ago
|
||
we can land it any time we need to, without requesting security approval?
I'm not aware of the requirements the linter team has established around landing code. From a security perspective, there wouldn't be much to review in this version bump.
Assignee | ||
Comment 7•6 years ago
|
||
Thanks, I'll get this landed.
![]() |
||
Comment 8•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/a0b40816521ed1d3cc9f25f22496f8358e51b4ea
https://hg.mozilla.org/mozilla-central/rev/a0b40816521e
Assignee | ||
Comment 10•6 years ago
|
||
uplift |
I've pushed this to beta as NPOTB as it was a simple update.
https://hg.mozilla.org/releases/mozilla-beta/rev/5def55cc75a70465407ab31228c77c6dd7bec349
I was thinking about skipping release as there shouldn't be many developers using that, and I suspect the only way this could be exploited is by getting something into the appropriate tree.
However, it might be worth doing this on esr, just so we're not raising any concerns there. I'll see if I can get a patch spun up.
Assignee | ||
Comment 11•6 years ago
|
||
Assignee | ||
Comment 12•6 years ago
|
||
uplift |
And now on ESR:
https://hg.mozilla.org/releases/mozilla-esr68/rev/0bd8c1e52943ae122f9571a9a61c1a7fad7a7ee9
Comment 13•6 years ago
|
||
Doesn't sound likely that we need to worry about ESR60 here, but feel free to change that if that's incorrect.
Updated•5 years ago
|
Updated•3 years ago
|
Description
•