How to fix Seriate and Lodash vulnerabilities

Question

For my project I have one package used, Seriate.

npm install seriate

However running this gives the following result:

found 17 vulnerabilities (9 low, 1 moderate, 7 high)

I ran npm audit and npm audit fix yet nothing. I have also looked into the dependencies, Lodash seems to have a security issue (supposedly fixed at 4.17.11).

How can I fix these? I have tried to update lodash like so: npm install lodash@4.17.11 however that didn't work either.

Also is this something to worry about, it runs from a local server which is secure in itself?

thanks for any help

Answer 1

As mentioned by Nino npm audit won't resolve Lodash security vulnerabilities automatically.

• Security vulnerabilities found requiring manual review

If security vulnerabilities are found, but no patches are available, the audit report will provide information about the vulnerability so you can investigate further. snapshot of sample audit report is here

• To address the vulnerability, you can
  1. Check for mitigating factors
  2. Update dependent packages if a fix exists
  3. Fix the vulnerability

Check for mitigating factors

Review the security advisory in the “More info” field for mitigating factors that may allow you to continue using the package with the vulnerability in limited cases. For example, the vulnerability may only exist when the code is used on specific operating systems, or when a specific function is called.

Update dependent packages if a fix exists

If a fix exists but packages that depend on the package with the vulnerability have not been updated to include the fixed version, you may want to open a pull or merge request on the dependent package repository to use the fixed version.

1. To find the package that must be updated, check the “Path” field for the location of the package with the vulnerability, then check for the package that depends on it. For example, if the path to the vulnerability is @package-name > dependent-package > package-with-vulnerability, you will need to update dependent-package.

2. On the npm public registry, find the dependent package and navigate to its repository. For more information on finding packages, see here

3. In the dependent package repository, open a pull or merge request to update the version of the vulnerable package to a version with a fix.

4. Once the pull or merge request is merged and the package has been updated in the npm public registry, update your copy of the package with npm update

Fix the vulnerability

If a fix does not exist, you may want to suggest changes that address the vulnerability to the package maintainer in a pull or merge request on the package repository.

1. Check the “Path” field for the location of the vulnerability.
2. On the npm public registry, find the package with the vulnerability. For more information on finding packages, see here
3. In the package repository, open a pull or merge request to make the fix on the package repository.
4. Once the fix is merged and the package has been updated in the npm public registry, update your copy of the package that depends on the package with the fix.

Answer 2

The security issues spotted by npm audit can't be fixed automatically (ie by changing packages versions to equivalent secure versions), they require manual review, thus can't be fixed simply by npm audit fix. npm audit fix --force would be an option (caution: introduces breaking changes!) but for me that fixed none of the 17 issues.

When installing the current version of seriate, lodash@4.7.11 is already required/installed so npm i lodash@4.7.11 won't change anything.

Whether these issues are dangerous or not in your case would really require an investigation from your part. Note that it's not because lodash is insecure that using lodash is - only in certain cases, only in certain machines, only for certain functions, etc. Start by reading the NPM advisories related to the security issues (like this one).