From 14a9cc7752cf450cd83e07d8294bd56decda3d04 Mon Sep 17 00:00:00 2001 From: "n.kudryavtsev" Date: Tue, 5 Feb 2019 16:20:17 +0300 Subject: [PATCH 1/3] Migration to Lodash 4.17.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Lodash versions <=4.17.4 were vulnerable to Prototype Pollution, for details please see: https://www.npmjs.com/advisories/577 For changes in Lodash 4.x please see: https://github.com/lodash/lodash/releases/tag/4.0.0 https://github.com/lodash/lodash/wiki/Changelog#compatibility-warnings Only this change was needed to pay attention to: * Removed _.pluck in favor of _.map with iteratee shorthand Here are other changes related to methods used in font-loader but there is no need to change anything in code: * Split _.assign & _.assignIn into _.assignWith & _.assignInWith * Split _.invert into _.invertBy * Split _.omit & _.pick into _.omitBy & _.pickBy * Split _.uniq into _.sortedUniq, _.sortedUniqBy, & _.uniqBy * Made “By” methods like _.groupBy & _.sortBy provide a single param to iteratees * Removed multiValue param from _.invert * Removed legacy options param signature from _.template * Enabled shortcut fusion for _.find --- lib/font-loader.js | 6 +++--- package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/font-loader.js b/lib/font-loader.js index d3b121e..fb17d67 100644 --- a/lib/font-loader.js +++ b/lib/font-loader.js @@ -63,9 +63,9 @@ function getExtension(format) { function createTargets(source, options) { options = _.defaults(_.pick(options, 'weight', 'style', 'format'), { - weight: _.chain(source).pluck('weight').uniq().value(), - style: _.chain(source).pluck('style').uniq().value(), - format: _.chain(source).pluck('format').uniq().value() + weight: _.chain(source).map('weight').uniq().value(), + style: _.chain(source).map('style').uniq().value(), + format: _.chain(source).map('format').uniq().value() }); return multiplex(options); } diff --git a/package.json b/package.json index 195f7b5..78c139d 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ "dependencies": { "bluebird": "^2.9.26", "loader-utils": "^0.2.7", - "lodash": "^3.8.0", + "lodash": "^4.17.11", "option-multiplexer": "^0.1.0", "svg2ttf": "^2.0.0", "ttf2eot": "^1.3.0", From c109790ff1f47596262e83c7843d93e6401bf958 Mon Sep 17 00:00:00 2001 From: "n.kudryavtsev" Date: Tue, 5 Feb 2019 16:36:27 +0300 Subject: [PATCH 2/3] Updated ttf2eot and ttf2woff to 2.x According to the change logs, there are no API changes in these packages thus only package.json can be edited: https://github.com/fontello/ttf2eot/blob/master/CHANGELOG.md https://github.com/fontello/ttf2woff/blob/master/CHANGELOG.md --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 78c139d..f6681c1 100644 --- a/package.json +++ b/package.json @@ -11,8 +11,8 @@ "lodash": "^4.17.11", "option-multiplexer": "^0.1.0", "svg2ttf": "^2.0.0", - "ttf2eot": "^1.3.0", - "ttf2woff": "^1.3.0" + "ttf2eot": "^2.0.0", + "ttf2woff": "^2.0.1" }, "devDependencies": { "babel-eslint": "^3.0.1", From 6c0f98d3c267daaf38472e8edc3951517cea1f73 Mon Sep 17 00:00:00 2001 From: "n.kudryavtsev" Date: Tue, 3 Dec 2019 20:05:29 +0300 Subject: [PATCH 3/3] Lodash 4.17.15 Though vulnerability https://nodesecurity.io/advisories/577 was fixed in Lodash 4.17.5, versions <=4.17.11 remained vulnerable to Prototype Pollution, for details please see: https://www.npmjs.com/advisories/1065 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index f6681c1..f846153 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ "dependencies": { "bluebird": "^2.9.26", "loader-utils": "^0.2.7", - "lodash": "^4.17.11", + "lodash": "^4.17.15", "option-multiplexer": "^0.1.0", "svg2ttf": "^2.0.0", "ttf2eot": "^2.0.0",