Why you should stop using lodash and similar?
The pandora box
Lodash has a long history of vulnerabilities, the first one registered was on 23 Apr, 2012 for version 0.1.0
Please have a look at this link https://snyk.io/vuln/npm:lodash
Why people even use lodash
- Iterating arrays, objects, & strings
- Manipulating & testing values
- Creating composite functions
Is it really that useful?
In my opinion NO! 👎
Most of the features can be written in plain JS, while other need a bit of overhead.
I think that not using it, you gain 2 things:
- You learn more advanced JS.
- The time you spend into learning the lodash library, you can spend it into learning more advanced JS, which will definitely pay later on.
What are the kind of vulnerabilities that lodash introduces?
The worst kind:
- Prototype Pollution
- Command Injection
Lets talk a bit about those vulnerabilities
There are two main ways in which the pollution of prototypes occurs:
- Property definition by path
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
This attack differs from Code Injection, in that code injection allows the attacker to add their own code that is then executed by the application. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.
So how bad is it?
- While developing, the code that you are running is on your computer, think about all the “secrets” that you have on it: passwords, vpns, private documents. A multi stage attack using multiple module updates and multiple packages can be undetectable by antivirus, and it can possibly gain root access .
- In production can gain access to data from possibly billions of users, like: credit cards, phone number, email, home address and more…
What can we do?
We can all try to NOT use lodash or simillike libraries.
Explain to everyone we know why using lodash is a bad idea.
Thank you for reading 🙏.
And remember that you can clap 👏 multiple time.