Does Zammad use LodashJS?

Mr_Cybertux · May 14, 2024, 12:48pm

Infos:

Used Zammad version: 6.2.0-1710415722.ca3a5152.focal
Used Zammad installation type: package
Operating system: Ubuntu 20.04
Browser + version:

Expected behavior:

We want to get a cyber insurance for the Zammad server and part of that process is a security analysis conducted by them.
They list LodashJS 1.8.3 as a vulnerable in their report and as high impact vulnerability.
*

Actual behavior:

I did not find anything about Zammad using LodashJS while searching the web.
The only thing i found was Elasticsearch using lodash but the implimented version is version 4 since around 2018 and elaticsearch is runing in version 7.17

github.com/elastic/elasticsearch-js

Upgrade to lodash v4

elastic:14.x ← dominykas:lodash-upgrade

opened 06:53AM - 08 May 18 UTC

dominykas

+355 -394

Closes #630 How I approached this: 1. go through each [breaking change of… lodash v2 to v3](https://github.com/lodash/lodash/wiki/Changelog#v300) - check every usage of a function that changed (i.e. search by function name) 2. same for [lodash v3 to v4](https://github.com/lodash/lodash/wiki/Changelog#v400) 3. go through every `require` of `src/lib/utils.js` and split up the `_` vs `utils` usage 4. go through every usage of `_.` and `_(` to verify that `thisArg` is no longer used (breaking change in v4)

*

Final Question:

Does Zammad outside of Elatic use lodash in any form?
@MrGeneration Sorry to tag you, i do not know if this is against the forum rules? But i feel like this is a question that most likely only a core team member can answer and you are the only one i know on the forum and you were always really helpfull
*

system · May 9, 2025, 12:49pm

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.