How to fix Prototype Pollution error for using lodash and JoinJS?

Question

We have a legacy app which is using AngularJS 1. The app also uses JointJS version 0.9.6 (which internally uses Lodash.js version 3.10.1).

Recently we found that we need to upgrade lodash.js as version being used have some security concern. When we upgrade we are getting below error:

Cannot read properties of undefined (reading 'dee')
JoinJs line: if (this.mixin.deep && (Object(copy) === copy)) {

I see that the old version of Lodash had a function called defaultsDeep and that is not available in new version.

Any idea how to upgrade/resolve this issue?

I tried upgrading JointJs but that didn't fix the issue.

I tried commenting the code in the JoinJs library and it started working, however, I am afraid that silently I might have broken something else.

Answer 1

What version of JointJS did you update to? The latest version of jointjs is 3.7.2.

The latest version of jointjs replaces the lodash util functions with its own internal code, so maybe that will resolve your issue.

Although, any recent versions of jointjs will be compatible with the latest version of lodash which is 4.17.21.