lodash prototype pollution (npm, <4.17.21)
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Flags a manifest pin of lodash below 4.17.21, before the prototype-pollution/command-injection fixes (CVE-2020-8203, CVE-2021-23337) landed.
Why it matters
Versions of lodash before 4.17.21 have documented prototype-pollution and command-injection issues in functions like zipObjectDeep and template (CVE-2020-8203, CVE-2021-23337). An attacker who can influence input to one of these functions can pollute Object.prototype for the whole process or, in the template case, potentially execute code -- a real, exploited class of bug in a package that ships in nearly every JavaScript project. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.
How to fix it
Bump lodash to 4.17.21 or later. This is almost always a drop-in upgrade with no API changes; if lodash is only a transitive dependency, update the parent package or add an override/resolutions entry forcing 4.17.21+.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo