"npm audit" reports electron-settings as a high security vulnerability

[KevinHughes]

When making an app using electron 28.2.3 or later, including electron-settings 4.0.2 or 5.0.0 as a dependency causes this output when running npm install or npm audit:

Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install electron-settings@3.2.0, which is a breaking change
node_modules/lodash.set
  electron-settings  >=4.0.0
  Depends on vulnerable versions of lodash.set
  node_modules/electron-settings

2 high severity vulnerabilities

This workaround, which forces npm to override old versions of lodash.set in package.json...

"overrides": {
    "lodash.set@>=3.7.0 <4.17.19": "https://github.com/lodash/lodash/archive/f299b52f39486275a9e6483b60a410e06520c538.tar.gz"
}

...does not work as it prevents any settings from being written.

[Zalk0]

Hey,
I saw this vulnerability and the lodash "Per Method Packages" are no longer actively supported and will be removed in lodash v5 as we can see on their website (https://lodash.com/per-method-packages).
The last version of lodash.set is 4.3.2 https://www.npmjs.com/package/lodash.set which is already the version of the dependency in electron-settings.
So this package would need to transition from per method packages to lodash directly.

[SteveW94]

Thanks a lot for already creating the Pull-Request! 👍

I hope it gets merged and pushed through as a new Release soon, as this security issues currently pops up as a very red flag also in our electron projects :/

[nathanbuchar]

4.0.3 is live. Please give it a try and let me know if it's working as expected.

[KevinHughes]

It looks like everything is working as expected for me, thank you!

[SteveW94]

After regenerating our Lockfile which made everything use the new version and remove the old lodash packages, everything seems fine again. Thanks for your fast reaction :)