Prototype Pollution vulnerability in `lodash.set` dependency

[Fabricevladimir]

Description

The lodash.set dependency used by snapshot.js contains a prototype pollution vulnerability that has not yet been patched.

The potential security risk in the library can be mitigated by either downgrading to a non-vulnerable version, if possible, or removing the dependency altogether and replace the singular call with a custom function.

Details

• Affected Package: lodash.set
• Vulnerability Type: Prototype Pollution
• Current Version: 4.3.2
• Status: Vulnerability not yet patched
• Severity: High

Steps to Reproduce

1. Install the current version of snapshot.js.
2. Run a vulnerability scan (e.g., npm audit or yarn audit).
3. Observe the reported prototype pollution vulnerability in lodash.set.

Recommended Actions

1. Monitor: Keep an eye on updates to lodash.set and apply the patch once available.
2. Downgrade: If a non-vulnerable version that still provides the required functionality exists, consider downgrading to that version (earliest version with the vulnerability is 3.7.0)
3. Remove: Evaluate the feasibility of removing the lodash.set dependency from snapshot.js.

References

• Lodash Security Advisory