Overview
CVE-2021-23337 is a High severity Command Injection vulnerability in lodash.template@4.5.0, which Vue 2.6, Vue 2.7, and Nuxt 2 depend on. This dependency vulnerability has been addressed in the latest NES release of Vue. We’ve tested and deployed new patch versions of Vue core and all of its associated sub-packages (most critically vue-server-renderer, which Nuxt users depend on).
Mitigation
Instructions for NES Nuxt customers to adopt the new version of vue-server-renderer are available in the NES Nuxt documentation.
This Lodash vulnerability does not affect Vue 3 or Nuxt 3 users. However, for HeroDevs NES customers who have not yet completed their migration to Vue 3 or Nuxt 3, you’ll want to install this new patch.
Patching this issue yourself can be tricky because the direct dependencies lodash.template and lodash.uniq are no longer published as individual packages on NPM. As such, overriding the dependencies without rebuilding all of the packages is not simple. Older versions of Vue had to be rebuilt to consume the new packaging structure of Lodash. While we have the infrastructure to do this on the HeroDevs NES team, this is work that many teams do not wish to do themselves. In addition to functional correctness, we also analyze the patched versions of Vue to validate that any new transitive dependencies are deduplicated and your application’s bundle size remains optimized.
Instructions for NES Vue and Nuxt Users
The latest instructions and version numbers to use, along with how to set up NES Vue and Nuxt for the first time, are available on the Vue or Nuxt Getting Started pages. You’ll just need to update your package.json to point to the newly released versions.
Verifying the patch
To verify that the lodash.template package is no longer depended on by Nuxt or Vue, you can use your package manager’s why command. Usually, this is npm why, yarn why, or pnpm why.
npm why lodash.template # Should not print out "nuxt" or "vue".
Now, when running npm why you should see that a newer version of Lodash, not lodash.template@4.5.0, is resolved.
npm why lodash # Should return a successful response and
# resolve to a version that satisfies ^4.17.21
Approaching this Patch
On the NES team, we strive to act as stewards of the project and make changes that are non-breaking and in the best interest of current users. Because the package published on npm as lodash.template is no longer being published, there is technically no “latest” version to upgrade to.
However, Lodash itself remains well-maintained. We opted to upgrade Lodash to receive all current non-breaking changes and patch fixes. We also now depend on it directly and follow the modern (but backwards compatible!) import syntax that they recommend.
This was for a few reasons.
Firstly, there are quite a few vulnerabilities that have been patched in the latest versions of Lodash. Going forward, there may be more. Because we are opting to use the publicly maintained package and defining a version range that accepts patch updates, you’ll be able to automatically receive any future patches as part of merging in any Renovate or Dependabot Pull Requests. This means that you’ll be able to automatically receive any future patches without needing to explicitly touch your project’s Vue dependencies!
Secondly, there are multiple Lodash packages depended on by Vue both directly and transitively. The Lodash project and its many sub-packages, functions, and modules are designed to be built together and pinned to a singular version throughout your application so that you’re not shipping duplicate code. By upgrading to the latest non-breaking version of Lodash, we’re able to ensure that your build tooling is able to properly tree-shake your dependencies and not double-include some of the more basic utility packages.
Summary
We patched Vue and Nuxt against a host of previous Lodash issues and expanded the version range to include future patches. We took great care in ensuring backward and forward compatibility, functional production parity, and bundle sizes.
You can keep your Vue and Nuxt applications secure, compliant, and up to date by updating your package.json file with the versions we’ve released.
- Vue 2.7 NES users: Ensure all Vue core package versions resolve to versions above @neverendingsupport/vue2@2.7.21.
- Vue 2.6 NES users: Ensure all Vue core package versions resolve to versions above @neverendingsupport/vue2@2.6.19 (but take care not to update to unpatched versions of Vue 2.7).