Security Vulnerability in Lodash-es all versions

[huggingpixels]

Environment

• Browser: Not applicable
• Version of smooth-scrollbar: All

Issue Summary

All versions of package lodash are susceptible to vulnerabilities which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Recently, I updated the package to Lodash-es version 4.17.21, but that version also contains the same gap, as all lodash-es versions available.

Current Behavior

References:
https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
https://security.netapp.com/advisory/ntap-20210312-0006/

Expected Behavior

The fix suggested by Whitesource and NetApp is to change the used library to Lodash 4.17.21 (non es version)

Steps to Reproduce

Please find exploit information here: https://nvd.nist.gov/vuln/detail/CVE-2021-23337

[idiotWu]

Using the non-es version will raise the bundle size. Since we are only using a few helper functions provided by lodash, I'm considering removing lodash in the next major release (i.e. v9.0.0).

[j-turner28]

@idiotWu do you have a timeline for if/when this change is going to happen? If I create a pull request to remove lodash and replace its usage, would you consider releasing a new version of the package with this update?

[idiotWu]

@j-turner28 sure, any PR will be welcome!

I just double-checked the CVE-2021-23337 and it seems only those who use the template() function is affected. I believe we are safe as we only use a few functions like debounce() and clamp(). But again, removing lodash-es will be extremely helpful because we aim to make future versions dependency-free!