Recently lodash
package reported a security vulnerability issue on the github page. You can find details here. https://github.com/lodash/lodash/issues/5083.
This latest version of lodash has security vulnerability of Command Injection (CVE-2021-23337). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337 https://snyk.io/vuln/SNYK-JS-LODASH-1040724 All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
They have resolved the issue and its fix is present in the lodash v4.17.21.
I am using the Angular 10 version. I am not using lodash directly but, One of the angular package that is @angular/[email protected]
internally uses uses @babel/[email protected]
and this babel internally uses [email protected]
.
Angular people will update the version number in their latest release and currently, I don't want to upgrade to the latest version of angular. Therefore, my question is how can I update only the lodash package, a child dependent(required dependency package for babel/core) from [email protected] to v4.17.21 ?
npm update lodash
did the trick for me.
$ npm -v
7.6.0
$ npm ls lodash
[email protected] /Users/trott/temp
└─┬ @angular/[email protected]
└─┬ @babel/[email protected]
├─┬ @babel/[email protected]
│ └── [email protected] deduped
├─┬ @babel/[email protected]
│ └── [email protected] deduped
└── [email protected]
$ npm update lodash
changed 1 package, and audited 99 packages in 1s
6 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
$ npm ls lodash
[email protected] /Users/trott/temp
└─┬ @angular/[email protected]
└─┬ @babel/[email protected]
├─┬ @babel/[email protected]
│ └── [email protected] deduped
├─┬ @babel/[email protected]
│ └── [email protected] deduped
└── [email protected]
$
This isn't exactly what you asked for because it updates to the latest lodash
that satisfies the requirements of your dependencies, rather than the specific version 4.17.21
. It just so happens that (at the time of this writing), that latest version for @angular/localize
is 4.17.21
. If you genuinely need a specific version that isn't the latest that satisfies your dependencies, read on.
Let's say, hypothetically, you wanted to update to 4.17.20
. You might try npm update [email protected]
. Alas, that doesn't work. The command runs fine, but doesn't update anything. In that case, you'd have to npm install [email protected]
first. That will update all your dependencies as well (assuming 4.17.20
satisfies their requirements). Then npm uninstall [email protected]
to remove it from your direct dependencies.