Bump lodash from 4.17.15 to 4.17.23

[dependabot]

Bumps lodash from 4.17.15 to 4.17.23.

Commits

• dec55b7 Bump main to v4.17.23 (#6088)
• 19c9251 fix: setCacheHas JSDoc return type should be boolean (#6071)
• b5e6729 jsdoc: Add -0 and BigInt zeros to _.compact falsey values list (#6062)
• edadd45 Prevent prototype pollution on baseUnset function
• 4879a7a doc: fix autoLink function, conversion of source links (#6056)
• 9648f69 chore: remove yarn.lock file (#6053)
• dfa407d ci: remove legacy configuration files (#6052)
• 156e196 feat: add renovate setup (#6039)
• 933e106 ci: add pipeline for Bun (#6023)
• 072a807 docs: update links related to Open JS Foundation (#5968)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[fossabot]

[fossabot]

Needs Review

I recommend reviewing this upgrade before merging because the application intentionally uses lodash to demonstrate prototype pollution vulnerabilities for educational purposes. While the upgrade includes security fixes that patch vulnerabilities in the merge function, these fixes may break the demonstration functionality which relies on exploiting these exact vulnerabilities. The current version 4.17.23 is used solely on the vulnerabilities demonstration page, not in production code, so the security benefits must be weighed against the functional impact on the demonstration. Additionally, 17 security vulnerabilities were addressed in newer versions, but the demonstration may require the vulnerable behavior to remain functional.

Tip: Comment @​fossabot fix to attempt automatic fixes.

Fix Suggestions

We identified 3 fixable issues in this upgrade.

• Decide whether to proceed with lodash upgrade: This is a vulnerable-by-design demo application. The lodash upgrade from 4.17.23 to newer versions patches prototype pollution in _.merge(), which will break the vulnerability demonstration on pages/vulnerabilities.js. Options: (1) Keep vulnerable version for demo purposes, (2) Upgrade and update demo to use a different vulnerable library, (3) Upgrade and update demo comments to explain the vulnerability was patched
  Files: pages/vulnerabilities.js, package.json
• If upgrade proceeds: Update the comment on line 78 of pages/vulnerabilities.js from 'In lodash 4.17.15, the merge function is vulnerable to prototype pollution' to 'In lodash versions prior to 4.17.21, the merge function was vulnerable to prototype pollution (CVE-2021-23337). This vulnerability has been patched in the current version.'
  Files: pages/vulnerabilities.js
• If upgrade proceeds: Add a note after line 66 in pages/vulnerabilities.js explaining the demo no longer works: Search for '_.merge({}, userInput)' and add comment above it: '// NOTE: This vulnerability was patched in lodash 4.17.21+. To see this exploit in action, use lodash < 4.17.21'
  Files: pages/vulnerabilities.js

AI Assistant Prompt

Copy prompt for AI assistant

# Lodash Upgrade Review - Vulnerable Demo Application

## Context
I'm reviewing PR #5 which upgrades lodash in my vulnerable-by-design Node.js demo application. This application intentionally uses vulnerable libraries for educational/security training purposes.

## The Problem
The lodash upgrade from 4.17.23 to newer versions patches prototype pollution vulnerabilities (CVE-2021-23337 and others) in `_.merge()`. However, my application's vulnerability demonstration page **intentionally exploits this vulnerability** to teach users about prototype pollution attacks.

## Key File
`pages/vulnerabilities.js` - Contains the prototype pollution demo using `_.merge()`

## Decision Needed
Help me evaluate these three options:

### Option 1: Keep Vulnerable Version
- Reject the upgrade and keep lodash 4.17.23
- Demo continues to work as intended
- Risk: Vulnerable dependency remains (acceptable for isolated demo)

### Option 2: Upgrade and Update Demo
- Accept the upgrade
- Update `pages/vulnerabilities.js` with educational notes explaining the vulnerability is now patched
- Demo becomes a "historical" example rather than live exploit

### Option 3: Upgrade with Alternative Demo
- Accept the upgrade
- Find alternative way to demonstrate prototype pollution

## If I Choose Option 2, Make These Changes:

### File: `pages/vulnerabilities.js`

1. **Update the comment around line 78** that says:
   `'In lodash 4.17.15, the merge function is vulnerable to prototype pollution'`
   
   Change to:
   `'In lodash versions prior to 4.17.21, the merge function was vulnerable to prototype pollution (CVE-2021-23337). This vulnerability has been patched in the current version.'`

2. **Add explanatory note before the `_.merge({}, userInput)` call** (around line 66):
   ```javascript
   // NOTE: This vulnerability was patched in lodash 4.17.21+.
   // To see this exploit in action, use lodash < 4.17.21
   ```

## Questions for You
1. What option do you recommend for an educational security demo application?
2. If I go with Option 2, can you show me the exact code changes needed in `pages/vulnerabilities.js`?
3. Are there any other files that reference this vulnerability demo that might need updates?

What we checked

• Lodash merge function is intentionally used to demonstrate prototype pollution vulnerability: _.merge({}, userInput) - upgrading may fix the vulnerability and break the demonstration ^[1]
• Code comment explicitly states 'In lodash 4.17.15, the merge function is vulnerable to prototype pollution' - the demonstration depends on this vulnerable behavior ^[2]
• Single import of lodash used exclusively for vulnerability demonstration, not production functionality ^[3]
• Current lodash version 4.17.23 installed - upgrade includes fixes for prototype pollution in merge, baseSet, zipObjectDeep, and other functions ^[4]
• Application is a 'Vulnerable Next.js Application' designed to demonstrate security vulnerabilities for educational purposes ^[5]

Dependency Usage

Lodash is used exclusively within the application's vulnerabilities demonstration page to showcase a prototype pollution security vulnerability through its merge() function, which processes user-supplied JSON input to illustrate how attackers can manipulate JavaScript object prototypes. The library serves as an educational tool for security testing purposes, with its usage confined to a single demonstration feature rather than supporting core application functionality. This represents a highly focused, demonstration-oriented integration pattern with minimal architectural footprint across the codebase.

• Lodash merge function is intentionally used to demonstrate prototype pollution vulnerability: _.merge({}, userInput) - upgrading may fix the vulnerability and break the demonstration
  

  vulnerable-contained-nodejs/pages/vulnerabilities.js

  Line 66 in 8a97ed5

  _.merge({}, userInput);

• Code comment explicitly states 'In lodash 4.17.15, the merge function is vulnerable to prototype pollution' - the demonstration depends on this vulnerable behavior
  

  vulnerable-contained-nodejs/pages/vulnerabilities.js

  Line 78 in 8a97ed5

  `In lodash 4.17.15, the merge function is vulnerable to prototype pollution.\n` +

View 2 more usages

• Single import of lodash used exclusively for vulnerability demonstration, not production functionality
  

  vulnerable-contained-nodejs/pages/vulnerabilities.js

  Line 3 in 8a97ed5

  import _ from 'lodash';

• Application is a 'Vulnerable Next.js Application' designed to demonstrate security vulnerabilities for educational purposes
  

  vulnerable-contained-nodejs/README.md

  Line 1 in 8a97ed5

  # Vulnerable Next.js Application

Changes

lodash upgraded with critical security patches addressing command injection in _.template, prototype pollution in zipObjectDeep, baseSet, and _.unset(), plus ReDoS vulnerabilities in string trimming functions. The update also resolves _.isEqual circular reference handling and improves performance for empty array operations in sorted index methods.

• Fix prototype pollution vulnerability in zipObjectDeep (#4759) (v4.17.15-4.17.16, commit)
• Prevent command injection through _.template's variable option (v4.17.20-4.17.21, commit)
• Add security threat model (v4.17.21-4.17.23, commit)

View 75 more changes

• Add security escalation policy (v4.17.21-4.17.23, commit)
• Add security.md (v4.17.21-4.17.23, commit)
• Fix lodash.isEqual for circular references (#4515) (v4.17.15-4.17.16, commit)
• Documentation fixes (v4.17.19-4.17.20, commit)
• Fix setCacheHas JSDoc return type to boolean (v4.17.21-4.17.23, commit)
• Fix autoLink function and source links documentation (v4.17.21-4.17.23, commit)
• Fix linting issues (v4.17.21-4.17.23, commit)
• Add Renovate setup (v4.17.21-4.17.23, commit)
• Add IRP (Incident Response Plan) (v4.17.21-4.17.23, commit)
• Add scorecard reporting (v4.17.21-4.17.23, commit)
• Add CodeQL analysis (v4.17.21-4.17.23, commit)
• Add CI pipeline for Node (v4.17.21-4.17.23, commit)
• Add contributors section to README (v4.17.21-4.17.23, commit)
• Bump to v4.17.16 (v4.17.15-4.17.16, commit)
• Sanitize sourceURL to prevent affecting evaled code (#4518) (v4.17.15-4.17.16, commit)
• Document matches* shorthands for over* methods (#4514) (v4.17.15-4.17.16, commit)
• Ensure orderBy accepts iteratee path arrays (#4513) (v4.17.15-4.17.16, commit)
• Short circuit sortedIndexBy methods for empty arrays (#4497) (v4.17.15-4.17.16, commit)
• Improve documentation for sortBy with multiple iteratees (#4467) (v4.17.15-4.17.16, commit)
• Rebuild lodash and docs (v4.17.15-4.17.16, commit)
• Bump to v4.17.20 (v4.17.19-4.17.20, commit)
• Remove trailing comma from test.js (v4.17.19-4.17.20, commit)
• Temporarily use a custom fork of lodash-cli (v4.17.19-4.17.20, commit)
• Re-enable Travis tests on 4.17 branch (v4.17.19-4.17.20, commit)
• Remove /npm-package (v4.17.19-4.17.20, commit)
• Bump to v4.17.21 (v4.17.20-4.17.21, commit)
• Improve performance of toNumber, trim and trimEnd on large input strings (v4.17.20-4.17.21, commit)
• Bump main to v4.17.23 (v4.17.21-4.17.23, commit)
• Update _.compact JSDoc to document -0 and BigInt zeros as falsey values (v4.17.21-4.17.23, commit)
• Prevent prototype pollution on baseUnset function (v4.17.21-4.17.23, commit)
• Remove yarn.lock file (v4.17.21-4.17.23, commit)
• Remove legacy CI configuration files (v4.17.21-4.17.23, commit)
• Update documentation links for Open JS Foundation (v4.17.21-4.17.23, commit)
• Fixed prototype pollution vulnerability in baseSet and related functions that could allow attackers to modify Object.prototype (v4.17.16, package source)
• Fixed prototype pollution vulnerability in baseSet function - prevents setting 'proto', 'constructor', and 'prototype' properties on objects to avoid prototype chain pollution (v4.17.17, package source)
• Added proto check in baseAssignValue to prevent prototype pollution when assigning values to object properties (v4.17.17, package source)
• Added safeGet function that prevents accessing 'constructor' functions and 'proto' properties to block prototype pollution vectors (v4.17.17, package source)
• Modified isKeyable function to exclude 'proto' from being used as a valid object key, preventing prototype pollution attacks (v4.17.17, package source)
• Enhanced baseKeysIn to skip 'constructor' property on prototype objects to prevent prototype pollution (v4.17.17, package source)
• Added prototype pollution protection in _.set, _.setWith, and related functions - now blocks setting 'proto', 'constructor', and 'prototype' properties (v4.17.20, package source)
• Enhanced code injection prevention in _.template sourceURL option - now strips all whitespace characters (not just newlines) to prevent comment escape and code injection (v4.17.20, package source)
• Fixed command injection vulnerability in _.template() function by validating the 'variable' option parameter. The function now throws an error if forbidden characters (parentheses, equals, commas, braces, brackets, slashes, or whitespace) are found in the variable name, preventing potential code injection attacks (CVE-2021-23337) (v4.17.21, package source)
• Fixed ReDoS (Regular Expression Denial of Service) vulnerability in string trimming functions by replacing vulnerable regex patterns (/^\s+|\s+$/g) with optimized character-by-character whitespace checking using new internal helper functions baseTrim() and trimmedEndIndex() (v4.17.21, package source)
• Fixed prototype pollution vulnerability in _.unset() function (GHSA-xxjr-mmjv-4gpg). The function now blocks 'proto' keys when not own properties and prevents 'constructor.prototype' chains to protect against malicious property paths. (v4.17.23, package source)
• Improved handling of constructor and proto properties in object manipulation functions to prevent prototype pollution (v4.17.16, package source)
• Enhanced safeGet function to safely retrieve object properties while preventing access to dangerous properties like 'constructor' (v4.17.16, package source)
• Fixed cyclic reference comparison in _.isEqual - now correctly validates both sides of circular references instead of assuming equality (v4.17.20, package source)
• Optimized _.sortedIndex, _.sortedIndexBy, _.sortedLastIndex, and _.sortedLastIndexBy to check array length before invoking iteratee function, preventing unnecessary function calls on empty arrays (v4.17.20, package source)
• Improved _.orderBy to properly handle array-based iteratees for deep property paths (v4.17.20, package source)
• Refactored _.trim() to use new baseTrim() helper function instead of regex-based trimming for better performance and security (v4.17.21, package source)
• Refactored _.trimEnd() to use new trimmedEndIndex() helper function instead of regex pattern for improved performance (v4.17.21, package source)
• Updated _.toNumber() to use baseTrim() helper for whitespace handling instead of regex pattern (v4.17.21, package source)
• Added missing semicolon in iteratee function return statement for improved code consistency (v4.17.23, package source)
• Added fp.js entry point at package root for easier access to functional programming variant of lodash (v4.17.18, package source)
• Refactored main lodash.js file from monolithic structure to modular architecture using require() statements for better maintainability (v4.17.16, package source)
• Updated internal version number from 4.17.15 to 4.17.16 (v4.17.16, package source)
• Changed build from modularized custom build to full standalone build - lodash.js expanded from 643 lines to 17,161 lines containing complete implementation (v4.17.17, package source)
• Updated package structure with additional functional programming (fp) module files for better modular usage support (v4.17.17, package source)
• Updated version number from 4.17.17 to 4.17.18 in package.json (v4.17.18, package source)
• Updated internal VERSION constant in lodash.js from '4.17.17' to '4.17.18' (v4.17.18, package source)
• Updated documentation in README.md with new version references and GitHub package source link (v4.17.18, package source)
• Added LICENSE file with MIT license and OpenJS Foundation copyright notice (v4.17.19, package source)
• Added core.js - a minimal build of lodash with core functionality only (v4.17.19, package source)
• Updated version number from 4.17.18 to 4.17.19 in lodash.js (v4.17.19, package source)
• Updated README.md to reference version 4.17.19 and updated package source link (v4.17.19, package source)
• Updated package.json version field to 4.17.19 (v4.17.19, package source)
• Added documentation examples showing how to combine multiple predicates using _.overSome and _.overEvery with _.filter (v4.17.20, package source)
• Enhanced documentation for _.matches and _.matchesProperty to note support for combining matchers with _.overSome (v4.17.20, package source)
• Added documentation for _.overEvery and _.overSome explaining shorthand syntax support (Object for _.matches, Array for _.matchesProperty) (v4.17.20, package source)
• Improved AMD loader support in core build to properly expose lodash in AMD environments (v4.17.20, package source)
• Added internal _baseTrim.js module for secure string trimming implementation (v4.17.21, package source)
• Added internal _trimmedEndIndex.js module for optimized trailing whitespace detection (v4.17.21, package source)
• Added Nix flake configuration files (flake.nix and flake.lock) for improved development environment setup (v4.17.21, package source)
• Removed Nix development environment configuration files (flake.lock and flake.nix) (v4.17.23, package source)
• Removed internal release documentation (release.md) (v4.17.23, package source)

References (5)

[1]: Lodash merge function is intentionally used to demonstrate prototype pollution vulnerability: _.merge({}, userInput) - upgrading may fix the vulnerability and break the demonstration

vulnerable-contained-nodejs/pages/vulnerabilities.js

Line 66 in 8a97ed5

_.merge({}, userInput);

[2]: Code comment explicitly states 'In lodash 4.17.15, the merge function is vulnerable to prototype pollution' - the demonstration depends on this vulnerable behavior

vulnerable-contained-nodejs/pages/vulnerabilities.js

Line 78 in 8a97ed5

`In lodash 4.17.15, the merge function is vulnerable to prototype pollution.\n` +

[3]: Single import of lodash used exclusively for vulnerability demonstration, not production functionality

vulnerable-contained-nodejs/pages/vulnerabilities.js

Line 3 in 8a97ed5

import _ from 'lodash';

[4]: Current lodash version 4.17.23 installed - upgrade includes fixes for prototype pollution in merge, baseSet, zipObjectDeep, and other functions

vulnerable-contained-nodejs/package.json

Line 17 in 8a97ed5

"lodash": "4.17.23",

[5]: Application is a 'Vulnerable Next.js Application' designed to demonstrate security vulnerabilities for educational purposes

vulnerable-contained-nodejs/README.md

Line 1 in 8a97ed5

# Vulnerable Next.js Application

---

fossabot analyzed this PR using static analysis and dependency research. View this analysis on the web