Recently lodash package reported a security vulnerability issue on the github page. You can find details here. https://github.com/lodash/lodash/issues/5083.
This latest version of lodash has security vulnerability of Command Injection (CVE-2021-23337). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337 https://snyk.io/vuln/SNYK-JS-LODASH-1040724 All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.
They have resolved the issue and its fix is present in the lodash v4.17.21.
I am using the Angular 10 version. I am not using lodash directly but, One of the angular package that is @angular/[email protected] internally uses uses @babel/[email protected] and this babel internally uses [email protected].
Angular people will update the version number in their latest release and currently, I don't want to upgrade to the latest version of angular. Therefore, my question is how can I update only the lodash package, a child dependent(required dependency package for babel/core) from [email protected] to v4.17.21 ?
npm update lodash did the trick for me.
$ npm -v
7.6.0
$ npm ls lodash
[email protected] /Users/trott/temp
└─┬ @angular/[email protected]
└─┬ @babel/[email protected]
├─┬ @babel/[email protected]
│ └── [email protected] deduped
├─┬ @babel/[email protected]
│ └── [email protected] deduped
└── [email protected]
$ npm update lodash
changed 1 package, and audited 99 packages in 1s
6 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
$ npm ls lodash
[email protected] /Users/trott/temp
└─┬ @angular/[email protected]
└─┬ @babel/[email protected]
├─┬ @babel/[email protected]
│ └── [email protected] deduped
├─┬ @babel/[email protected]
│ └── [email protected] deduped
└── [email protected]
$
This isn't exactly what you asked for because it updates to the latest lodash that satisfies the requirements of your dependencies, rather than the specific version 4.17.21. It just so happens that (at the time of this writing), that latest version for @angular/localize is 4.17.21. If you genuinely need a specific version that isn't the latest that satisfies your dependencies, read on.
Let's say, hypothetically, you wanted to update to 4.17.20. You might try npm update [email protected]. Alas, that doesn't work. The command runs fine, but doesn't update anything. In that case, you'd have to npm install [email protected] first. That will update all your dependencies as well (assuming 4.17.20 satisfies their requirements). Then npm uninstall [email protected] to remove it from your direct dependencies.