A modern JavaScript utility library delivering modularity, performance, & extras.
[Security] High severity findings summary #4
High Severity Security Findings
The following high-severity issues were identified during the automated security scan of morphadmin/lodash-bench (branch: main).
Finding 1 — Severely Outdated devDependencies with Known CVEs
File: package.json
Severity: High
Several devDependencies are pinned to versions that are years out of date and carry known vulnerabilities. Although these are dev-only, they run during CI builds (npm run validate) on every push and PR, expanding the attack surface during the build pipeline.
| Package | Installed Version | Known Issues |
|---|---|---|
lodash (devDep) |
4.17.20 |
Older than the project itself (4.17.23); misses prototype-pollution and template injection patches |
uglify-js |
2.7.5 |
CVE-2015-8858 — ReDoS; multiple other known CVEs in v2.x |
webpack |
^1.14.0 |
Major version 1 — EOL since 2018, numerous unpatched CVEs |
cheerio |
^0.22.0 |
Multiple XSS / ReDoS issues in 0.x branch (current: 1.x) |
request |
^2.88.0 |
Deprecated, known SSRF and cookie-jar issues |
istanbul |
0.4.5 |
Pinned to 2016-era release, superseded by nyc/c8 |
ecstatic |
^2.2.2 |
Path traversal vulnerability in v2.x |
Recommendation:
- Run
npm auditand address all HIGH/CRITICAL items. - Upgrade or replace deprecated packages (
request→got/axios,istanbul→nyc,webpack→ v5). - Pin all devDependencies to exact SHA digests in CI or use
npm ciwith a lockedpackage-lock.json.
Finding 2 — CI Workflow Missing permissions Hardening (ci-node.yml)
File: .github/workflows/ci-node.yml
Severity: High
The main CI workflow (ci-node.yml) does not declare a permissions block, meaning the workflow inherits the repository-level default token permissions (which can be read/write for contents, packages, etc. depending on repo settings). This violates the principle of least privilege and means a compromised step or a malicious dependency installed via npm install could write to the repository or packages.
# Missing from ci-node.yml:
permissions:
contents: readBy contrast, codeql.yml and scorecards.yml both correctly scope their permissions.
Recommendation:
- Add
permissions: read-all(or a minimal explicit set) at the top ofci-node.yml. - Audit all other workflow files for the same omission.
- Pin all
uses:action references to their full commit SHA (as is done incodeql.ymlandscorecards.yml) rather than mutable tags like@v4.
Finding 3 — devDependency lodash version pinned to vulnerable 4.17.20
File: package.json, line: "lodash": "4.17.20"
Severity: High
The project declares itself as lodash v4.17.23 (package.json "version"), but installs an older lodash 4.17.20 as a devDependency. Version 4.17.20 is missing the prototype pollution fix (CVE-2019-10744 patch landed in 4.17.21) and the _.template command injection mitigation (CVE-2021-23337).
Build and test tooling that depends on this older lodash devDependency could be exploited via prototype pollution in the build pipeline.
Recommendation:
- Change
"lodash": "4.17.20"→"lodash": "4.17.21"(minimum) or ideally align with the project version"4.17.23".
Reported by Morph Code automated security scanner.