Update lodash to 4.17.10 for CVE concerns

Author: Wardormeur

lib/profiles/user-profile-data.js

@@ -73,16 +73,16 @@ var youthBlackList = ['name'];
 
 // var allowedOptionalFieldsYouth = ['dojos', 'linkedin', 'twitter', 'badges'];
 var allowedOptionalFieldsYouth = _.filter(hiddenFields, function (field) {
-  if (_.contains(field.allowedUserTypes, 'attendee-o13')) return field.modelName;
+  if (_.includes(field.allowedUserTypes, 'attendee-o13')) return field.modelName;
 });
 
 // var allowedOptionalFieldsChampion = ['notes', 'projects'];
 var allowedOptionalFieldsChampion = _.map(hiddenFields, function (field) {
-  if (_.contains(field.allowedUserTypes, 'champion')) return field.modelName;
+  if (_.includes(field.allowedUserTypes, 'champion')) return field.modelName;
 });
 
 var allowedOptionalFieldsMentor = _.map(hiddenFields, function (field) {
-  if (_.contains(field.allowedUserTypes, 'mentor')) return field.modelName;
+  if (_.includes(field.allowedUserTypes, 'mentor')) return field.modelName;
 });
 
 var allowedOptionalFields = {
@@ -207,7 +207,7 @@ function cmd_user_profile_data (args, done) {
     if (_.isEmpty(usersDojos)) {
       profile.userTypes.push(profile.userType);
     } else {
-      profile.userTypes = _.flatten(_.pluck(usersDojos, 'userTypes'));
+      profile.userTypes = _.flatten(usersDojos.map(ud => ud.userTypes));
       profile.userTypes.push(profile.userType);
     }
     profile.userTypes = _.uniq(profile.userTypes);
@@ -219,14 +219,14 @@ function cmd_user_profile_data (args, done) {
   function addFlags (profile, done) {
     var userId = args.user ? args.user.id : null;
     flags.user.ownProfile = profile && profile.userId === userId;
-    flags.user.myChild = _.contains(profile.parents, userId);
+    flags.user.myChild = _.includes(profile.parents, userId);
     flags.user.isTicketingAdmin = _.find(profile.userPermissions, function (profileUserPermission) {
       return profileUserPermission.name === 'ticketing-admin';
     });
     if (userId) {
       seneca.act({role: 'cd-users', cmd: 'load', id: userId}, function (err, user) {
         if (err) return done(err);
-        if (_.contains(user.roles, 'cdf-admin')) flags.requestingUser.isCDF = true;
+        if (_.includes(user.roles, 'cdf-admin')) flags.requestingUser.isCDF = true;
         return done(null, profile);
       });
     } else {
@@ -279,15 +279,15 @@ function cmd_user_profile_data (args, done) {
 
       // We look at viewer rights
       _.each(requestingUserSharedDojos, function (requestingUserDojo) {
-        if (_.contains(requestingUserDojo.userTypes, 'champion')) flags.requestingUser.isChampionOf = true;
-        if (_.contains(requestingUserDojo.userTypes, 'mentor')) flags.requestingUser.isMentorOf = true;
+        if (_.includes(requestingUserDojo.userTypes, 'champion')) flags.requestingUser.isChampionOf = true;
+        if (_.includes(requestingUserDojo.userTypes, 'mentor')) flags.requestingUser.isMentorOf = true;
         if (_.find(requestingUserDojo.userPermissions, {'title': 'Dojo Admin', 'name': 'dojo-admin'})) flags.requestingUser.isDojoAdminOf = true;
         if (_.find(requestingUserDojo.userPermissions, {'title': 'Ticketing Admin', 'name': 'ticketing-admin'})) flags.requestingUser.isTicketingAdminOf = true;
       });
 
       // Viewed user flags
       _.each(profileDojos, function (profileDojo) {
-        if (_.contains(profileDojo.userTypes, 'champion')) flags.user.isChampion = true;
+        if (_.includes(profileDojo.userTypes, 'champion')) flags.user.isChampion = true;
         if (_.find(profileDojo.userPermissions, {'title': 'Dojo Admin', 'name': 'dojo-admin'})) flags.user.isDojoAdmin = true;
         if (_.find(profileDojo.userPermissions, {'title': 'Ticketing Admin', 'name': 'ticketing-admin'})) flags.user.isTicketingAdmin = true;
       });
@@ -307,23 +307,23 @@ function cmd_user_profile_data (args, done) {
     function filterFields (err, profile, requestingUserProfile) {
       var allowedFields = [];
 
-      if (_.contains(profile.userTypes, 'attendee-o13')) {
+      if (_.includes(profile.userTypes, 'attendee-o13')) {
         allowedFields = _.union(allowedFields, allowedOptionalFields['attendee-o13']);
       }
 
-      if (_.contains(profile.userTypes, 'champion')) {
+      if (_.includes(profile.userTypes, 'champion')) {
         allowedFields = _.union(allowedFields, allowedOptionalFields['champion']);
       }
 
-      if (_.contains(profile.userTypes, 'mentor')) {
+      if (_.includes(profile.userTypes, 'mentor')) {
         allowedFields = _.union(allowedFields, allowedOptionalFields['mentor']);
       }
 
       var keysToOmit = [];
       if (!flags.user.ownProfile && !flags.user.myChild && !flags.requestingUser.isTicketingAdmin &&
          !flags.requestingUser.isChampionOf && !flags.requestingUser.isDojoAdminOf && !flags.requestingUser.isCDF) {
         _.forOwn(profile.optionalHiddenFields, function (value, key) {
-          if (value && _.contains(allowedFields, key)) {
+          if (value && _.includes(allowedFields, key)) {
             keysToOmit.push(key);
           }
         });
@@ -380,13 +380,13 @@ function cmd_user_profile_data (args, done) {
    * @return {[type]}           [description]
    */
   function publicProfilesFilter (profile, done) {
-    if (!flags.requestingUser.canBypassFilter && !_.contains(profile.userTypes, 'attendee-u13')) {
+    if (!flags.requestingUser.canBypassFilter && !_.includes(profile.userTypes, 'attendee-u13')) {
       // Build the list of fields to pick
       _.each(profile.userTypes, function (userType) {
         publicFields = _.union(publicFields, fieldWhiteList[userType]);
       });
 
-      if (_.contains(profile.userTypes, 'attendee-o13')) {
+      if (_.includes(profile.userTypes, 'attendee-o13')) {
         publicFields = _.remove(publicFields, function (publicField) {
           var idx = youthBlackList.indexOf(publicField);
           return !(idx > -1);
@@ -414,7 +414,7 @@ function cmd_user_profile_data (args, done) {
   * @return {[type]}           [description]
   */
   function under13Filter (profile, done) {
-    if (_.contains(profile.userTypes, 'attendee-u13') && !flags.requestingUser.canBypassFilter) {
+    if (_.includes(profile.userTypes, 'attendee-u13') && !flags.requestingUser.canBypassFilter) {
       profile = {};
     }
     return done(null, profile);

oauth2.js

@@ -90,13 +90,13 @@ module.exports = function (options) {
         seneca.act({role: 'cd-dojos', cmd: 'load_usersdojos', query: {userId: user.id}}, function (err, usersDojos) {
           if (err) return done(err);
           var championTypeFound = _.find(usersDojos, function (userDojo) {
-            return _.contains(userDojo.userTypes, 'champion');
+            return _.includes(userDojo.userTypes, 'champion');
           });
           var youthOver13TypeFound = _.find(usersDojos, function (userDojo) {
-            return _.contains(userDojo.userTypes, 'attendee-o13');
+            return _.includes(userDojo.userTypes, 'attendee-o13');
           });
           var mentorTypeFound = _.find(usersDojos, function (userDojo) {
-            return _.contains(userDojo.userTypes, 'mentor');
+            return _.includes(userDojo.userTypes, 'mentor');
           });
           var verifyFound = _.any(usersDojos, 'backgroundChecked');
           if (championTypeFound) user.isChampion = true;
@@ -178,7 +178,7 @@ module.exports = function (options) {
           id: user.id,
           name: user.name,
           email: user.email,
-          isAdmin: _.contains(user.roles, 'cdf-admin'),
+          isAdmin: _.includes(user.roles, 'cdf-admin'),
           isChampion: user.isChampion,
           isYouthOver13: user.isYouthOver13,
           isMentor: user.isMentor,

package.json

@@ -39,7 +39,7 @@
     "jed": "1.1.0",
     "js-yaml": "3.2.7",
     "le_node": "1.1.0",
-    "lodash": "3.7.0",
+    "lodash": "4.17.10",
     "moment": "2.10.3",
     "newrelic": "^2.6.0",
     "node-uuid": "1.4.3",

profiles.js

@@ -269,7 +269,7 @@ module.exports = function (options) {
 
   // Note : tbdeleted
   function saveChild (profile, parentId, done) {
-    if (_.contains(profile.parents, parentId)) {
+    if (_.includes(profile.parents, parentId)) {
       delete profile.user;
       seneca.make$(ENTITY_NS).save$(profile, function (err, profile) {
         if (err) {
@@ -417,7 +417,7 @@ module.exports = function (options) {
         seneca.act({role: 'cd-dojos', cmd: 'load_usersdojos', query: {userId: requestingUserId}}, function (err, usersDojos) {
           if (err) return done(err);
           var parentTypeFound = _.find(usersDojos, function (userDojo) {
-            return _.contains(userDojo.userTypes, 'parent-guardian');
+            return _.includes(userDojo.userTypes, 'parent-guardian');
           });
           if (parentTypeFound) return done();
           return done(new Error('You must have the parent/guardian user type to accept this invite'));
@@ -463,7 +463,7 @@ module.exports = function (options) {
     }
 
     function removeInviteToken (ninjaProfile, done) {
-      ninjaProfile.parentInvites = _.without(ninjaProfile.parentInvites, _.findWhere(ninjaProfile.parentInvites, {id: inviteTokenId}));
+      ninjaProfile.parentInvites = _.without(ninjaProfile.parentInvites, _.find(ninjaProfile.parentInvites, {id: inviteTokenId}));
       seneca.act({role: plugin, cmd: 'save', profile: ninjaProfile}, done);
     }
   }
@@ -476,13 +476,13 @@ module.exports = function (options) {
     var hostname = process.env.HOSTNAME || '127.0.0.1:8000';
     var file = args.file;
 
-    if (!_.contains(args.fileType, 'image')) return done(null, {ok: false, why: 'Avatar upload: file must be an image.'});
+    if (!_.includes(args.fileType, 'image')) return done(null, {ok: false, why: 'Avatar upload: file must be an image.'});
     if (file.length > 5242880) return done(null, {ok: false, why: 'Avatar upload: max file size of 5MB exceeded.'});
 
     var buf = new Buffer(file.data, 'base64');
     var type = buf.toString('hex', 0, 4);
     var types = ['ffd8ffe0', '89504e47', '47494638'];
-    if (!_.contains(types, type)) return done(null, {ok: false, why: 'Avatar upload: file must be an image of type png, jpeg or gif.'});
+    if (!_.includes(types, type)) return done(null, {ok: false, why: 'Avatar upload: file must be an image of type png, jpeg or gif.'});
 
     // pg conf properties
     options.postgresql.database = options.postgresql.name;
@@ -693,7 +693,7 @@ module.exports = function (options) {
           if (err) return done(err);
           var ninjaProfile = ninjaProfiles[0];
           var userId = args.user ? args.user.id : null;
-          if (ninjaProfile && _.contains(ninjaProfile.parents, userId)) return done(new Error('User is already a parent of this Ninja'));
+          if (ninjaProfile && _.includes(ninjaProfile.parents, userId)) return done(new Error('User is already a parent of this Ninja'));
           return done();
         });
       }
@@ -711,7 +711,7 @@ module.exports = function (options) {
         seneca.act({role: 'cd-dojos', cmd: 'load_usersdojos', query: {userId: ninjaProfile.userId}}, function (err, ninjaUsersDojos) {
           if (err) return done(err);
           var attendeeO13TypeFound = _.find(ninjaUsersDojos, function (ninjaUserDojo) {
-            return _.contains(ninjaUserDojo.userTypes, 'attendee-o13');
+            return _.includes(ninjaUserDojo.userTypes, 'attendee-o13');
           });
           if (attendeeO13TypeFound || ninjaProfile.userType === 'attendee-o13') return done();
           return done(new Error('Ninja must be an over 13 attendee'));
@@ -798,7 +798,7 @@ module.exports = function (options) {
       // Add ninja user id to Parent children array
       if (!parentProfile.children) parentProfile.children = [];
       parentProfile.children.push(ninjaProfile.userId);
-      parentProfile.ninjaInvites = _.without(parentProfile.ninjaInvites, _.findWhere(parentProfile.ninjaInvites, {id: inviteData.inviteTokenId}));
+      parentProfile.ninjaInvites = _.without(parentProfile.ninjaInvites, _.find(parentProfile.ninjaInvites, {id: inviteData.inviteTokenId}));
 
       if (!ninjaProfile.parents) ninjaProfile.parents = [];
       ninjaProfile.parents.push(parentProfile.userId);

yarn.lock

@@ -3153,10 +3153,6 @@ [email protected], lodash@^3.10.0, lodash@^3.10.1, lodash@^3.2.0, lodash@^3.3.1, lod
   version "3.10.1"
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6"
 
-[email protected]:
-  version "3.7.0"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.7.0.tgz#3678bd8ab995057c07ade836ed2ef087da811d45"
-
 [email protected]:
   version "3.9.3"
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.9.3.tgz#0159e86832feffc6d61d852b12a953b99496bd32"
@@ -3177,6 +3173,10 @@ [email protected]:
   version "4.15.0"
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.15.0.tgz#3162391d8f0140aa22cf8f6b3c34d6b7f63d3aa9"
 
+[email protected]:
+  version "4.17.10"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7"
+
 [email protected]:
   version "4.2.1"
   resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.2.1.tgz#171fdcfbbc30d689c544cd18c0529f56de6c1aa9"