npm audit flags dep sbo@1.1.3 with high severity vulnerabilities due to lodash.set

[0x-a6]

Describe the bug

When running npm audit with aws-iot-device-sdk-v2@1.19.3 result:

# npm audit report

lodash.set  *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix`
node_modules/lodash.set
  sbo  >=1.1.3
  Depends on vulnerable versions of lodash.set
  node_modules/sbo

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Expected Behavior

when running npm audit should result in 0 vulnerabilities

Current Behavior

2 high vulnerabilities detected

Reproduction Steps

6.5.0-27-generic kernel, 22.04.1-Ubuntu x86_64 Linux,
node v18.19.1,
npm 10.5.2
install the package
run npm audit

Possible Solution

Perhaps it's related to an old object copy issue mentioned here: lodash/lodash#5809 I don't know. But it seems like an old vulnerability for such a modern version of dependency

Additional Information/Context

No response

SDK version used

1.19.3

Environment details (OS name and version, etc.)

6.5.0-27-generic kernel, 22.04.1-Ubuntu x86_64 Linux, node v18.19.1, npm 10.5.2

[0x-a6]

I've also updated node to v20.12.2 (Iron) via nvm and ran 'npm update --save' & 'npm i' with the same audit results.

[0x-a6]

backend@1.0.0 /path/to/project/backend
└─┬ aws-iot-device-sdk-v2@1.19.3
  └─┬ 2@3.0.0
    └─┬ sbo@1.1.3
      └── lodash.set@4.3.2

Does this mean I need to raise this on the sbo repository?

[bretambrose]

No, someone added a pointless top-level dependency.

#494 removes

[0x-a6]

@bretambrose Thank you! Confirmed works for me.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.