Upgrade lodash packages to lodash 4.17.5+ to address CVE-2018-3721 #4267
Description
Bug or support request summary
Storybooks is using outdated and vulnerable lodash.xxx modules. We should upgrade lodash.xxx modules from 2016 to their modern tree-shakeable lodash packages from lodash 4.17.5 and above
Steps to reproduce
https://nvd.nist.gov/vuln/detail/CVE-2018-3721
Please specify which version of Storybook and optionally any affected addons that you're running
- @storybook/.4.0.0-alpha.20 and above
Affected platforms
Not platform-specific
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Participants
Activity
Stephanemw commentedon Oct 3, 2018
As discussed in Discord, I'll be raising a PR for this soon.
Merge pull request #4284 from Stephanemw/build/4267_lodash_upgrade
jethrolarson commentedon Dec 21, 2018
This broke my instance of storybook. And it does so due to a patch version of lodash, so I'm not a fan.
Stephanemw commentedon May 20, 2019
@jethrolarson can you help me understand where this breakage occurs for you? We can't realistically keep on depending on vulnerable libraries so I'm keen to find a resolution that works for you too.