Skip to content

[Bug] high severity vulnerabilities dependency lodash.pick #3046

New issue
New issue
Closed
#3065
Closed
[Bug] high severity vulnerabilities dependency lodash.pick#3046
#3065
Labels
bugSomething isn't working
@leverglowh

Description

@leverglowh
leverglowh
opened on Apr 9, 2025

Describe the bug
Lodash per method packages are not maintained anymore, and their usage is discouraged by the team.
Kepler packages have multiple lodash per method packages as dependencies.
lodash.pick specifically causes npm audit to raise warnings about multiple high severity vulnerabilities.

Workaround suggested here (lodash/lodash#5809 (comment)) causes the basic template example from docs to fail with An error in deck.gl: deck.gl: assertion failed..

To Reproduce
Steps to reproduce the behavior:

  • Just run npm install --save kepler.gl @kepler.gl/components @kepler.gl/reducers on an empty folder to see all the vulnerabilities
  • To see the fail override workaround error on map:
    1. Start a new vite project with react redux: npx degit reduxjs/redux-templates/packages/vite-template-redux my-app
    2. Add kepler npm install --save kepler.gl @kepler.gl/components @kepler.gl/reducers
    3. Add override in package.json: 
       "overrides": {
     "lodash.pick": "https://github.com/lodash/lodash/archive/refs/tags/4.17.21.tar.gz"
 }
    4. Follow https://docs.kepler.gl/docs/api-reference/get-started to render kepler on app
    5. npm run dev, if not presented with the error, try using the dual map button

Expected behavior
Should not depend on vulnerable package lodash.pick
Example on how to move away from that GeekyAnts/NativeBase#5799

Desktop (please complete the following information):
Does not concern device

Smartphone (please complete the following information):
Does not concern device

Additional context
The 3 kepler packages have in total 37 vulnerabilities (5 moderate, 32 high):

Overriding these removes the warnings, but of course many are breaking changes, I have not tested the impact.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions