Skip to content

fix(deps): remove lodash dependencies#1022

Open
gameroman wants to merge 1 commit intoauth0:masterfrom
gameroman:remove-lodash
Open

fix(deps): remove lodash dependencies#1022
gameroman wants to merge 1 commit intoauth0:masterfrom
gameroman:remove-lodash

Conversation

@gameroman
Copy link
Copy Markdown

@gameroman gameroman commented Apr 11, 2026
edited
Loading

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

Remove lodash dependencies

References

Closes #991

Testing

All tests pass

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@gameroman gameroman requested a review from a team as a code owner April 11, 2026 00:17
@JappiPatel
Copy link
Copy Markdown

JappiPatel commented Apr 22, 2026
edited
Loading

Security Impact: Multiple Critical CVEs in Lodash Dependencies

Thank you @gameroman for this PR! I want to emphasize the urgent security need for this change based on recent vulnerability scans.

Current State (jsonwebtoken@9.0.3)

The lodash sub-packages currently pulled in by jsonwebtoken have 10+ known CVEs, including:

Package Version Critical CVEs
lodash.includes 4.3.0 CVE-2026-4800 (CVSS 9.8), CVE-2019-10744 (CVSS 9.1)
lodash.isnumber 3.0.3 CVE-2021-23337 (CVSS 7.2), CVE-2020-8203 (CVSS 7.4)
lodash.isboolean 3.0.3 CVE-2018-3721 (CVSS 6.5), CVE-2019-1010266 (CVSS 6.5)
lodash.isstring 4.0.1 Multiple CVEs affecting 4.x versions
lodash.isinteger 4.0.4 Multiple CVEs affecting 4.x versions
lodash.isplainobject 4.0.6 Multiple CVEs affecting 4.x versions
lodash.once 4.1.1 Multiple CVEs affecting 4.x versions

Most Critical Issues

CVE-2026-4800 (CVSS 9.8 - Critical):

  • Command Injection in _.template() - bypass of CVE-2021-23337 fix
  • Arbitrary code execution when processing untrusted template input
  • Affects lodash versions ≤ 4.17.23 (all sub-packages in jsonwebtoken use older versions)

CVE-2019-10744 (CVSS 9.1 - Critical):

  • Prototype Pollution vulnerability
  • Allows modification of Object.prototype affecting all objects

Real-World Impact

These vulnerabilities are actively flagged by:

  • SAP Security Vulnerability Management (SVM)
  • Black Duck SCA scans
  • Snyk, Dependabot, and other security tools

Organizations using jsonwebtoken are receiving daily security alerts that they cannot resolve without this PR being merged.

Request

Could you please prioritize reviewing and merging this PR? The security impact is significant, and this affects thousands of downstream projects. All tests pass, and the changes appear straightforward.

References:

Thank you for maintaining this package! 🙏

@JappiPatel JappiPatel mentioned this pull request Apr 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

get rif of lodash dependency

2 participants

@gameroman @JappiPatel