fix: use lodash to v4.17.21 CVE-2020-8203

GHSA-p6mc-m468-83gw
qiwi · Jan 28, 2024 · 9f2efa2 · 9f2efa2
1 parent 88da81c
commit 9f2efa2
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 189 deletions.
diff --git a/package.json b/package.json
@@ -25,15 +25,15 @@
     }
   },
   "scripts": {
-    "clean": "rimraf target buildcache",
+    "clean": "rm -rf target buildcache",
     "lint": "eslint src/**/*.{ts,js}",
     "lint:fix": "yarn lint --fix",
     "format": "prettier --write \"src/**/*.ts\"",
     "test": "concurrently 'npm:test:*'",
     "test:ts4": "node ./node_modules/ts4/bin/tsc -p src/test/ts4/tsconfig.json && cd ./src/test/ts4/ && mv index.js index.mjs && node index.mjs || echo 'fixme: works locally on mac' && exit 0",
     "test:ts5": "node ./node_modules/ts5/bin/tsc -p src/test/ts5/tsconfig.json && cd ./src/test/ts5/ && mv index.js index.mjs && node --loader babel-register-esm index.mjs",
     "test:unit": "jest --config=jest.config.json --runInBand",
-    "test:depcheck": "npx depcheck --ignores rimraf,typedoc,tslib,babel*,esbuild*,@types/jest,@babel/*,@qiwi/decorator-utils",
+    "test:depcheck": "npx depcheck --ignores typedoc,babel*,esbuild*,@types/jest,@babel/*,@qiwi/decorator-utils",
     "test:depaudit": "yarn audit --groups=dependencies --level=moderate; [[ $? -ge 4 ]] && exit 1 || exit 0",
     "build": "concurrently 'npm:build:*'",
     "build:esm": "node ./src/scripts/build.cjs",
@@ -65,10 +65,7 @@
     "reflect-metadata": ">=0.1"
   },
   "dependencies": {
-    "lodash.get": "^4.4.2",
-    "lodash.once": "^4.1.1",
-    "lodash.reduce": "^4.6.0",
-    "lodash.set": "^4.3.2"
+    "lodash": "^4.17.21"
   },
   "devDependencies": {
     "@qiwi/substrate": "^2.0.4",
@@ -86,10 +83,7 @@
     "@babel/register": "^7.23.7",
     "@babel/runtime": "^7.23.9",
     "@types/jest": "^29.5.11",
-    "@types/lodash.get": "^4.4.9",
-    "@types/lodash.once": "^4.1.9",
-    "@types/lodash.reduce": "^4.6.9",
-    "@types/lodash.set": "^4.3.9",
+    "@types/lodash": "^4.14.202",
     "babel-jest": "^29.7.0",
     "babel-register-esm": "^1.2.5",
     "concurrently": "^8.2.2",
@@ -101,7 +95,6 @@
     "jest": "^29.7.0",
     "prettier": "^3.2.4",
     "prettier-config-qiwi": "^2.1.2",
-    "rimraf": "^5.0.5",
     "ts-jest": "^29.1.2",
     "ts4": "npm:typescript@4",
     "ts5": "npm:typescript@^5.3.3",

diff --git a/src/main/ts/utils.ts b/src/main/ts/utils.ts
@@ -1,13 +1,13 @@
 /** @module @qiwi/decorator-utils */
 
-import reduce from 'lodash.reduce'
+import reduce from 'lodash/reduce.js'
 import type {} from 'reflect-metadata'
 
 import { IDescriptor, IInstance, IProto, IReducible } from './interface'
 
-export {default as get} from 'lodash.get'
-export {default as set} from 'lodash.set'
-export {default as once} from 'lodash.once'
+export {default as get} from 'lodash/get.js'
+export {default as set} from 'lodash/set.js'
+export {default as once} from 'lodash/once.js'
 
 export const isFunction = (fn: any): boolean =>
   typeof fn === 'function'