@jalik/deep-extend - npm Package Compare versions

Comparing version 1.1.11 to 1.1.12

CHANGELOG.md

 # Changelog
 
+## v1.1.12
+- Fixed potential prototype pollution while merging
+- Upgraded dependencies
+
 ## v1.1.11
@@ -4,0 +8,0 @@ - Upgraded dependencies

dist/deepExtend.js

@@ -76,8 +76,10 @@ "use strict";
           for (var j = 0; j < keys.length; j += 1) {
-            var key = keys[j];
+            var key = keys[j]; // Avoid prototype pollution.
 
-            if ((0, _typeof2["default"])(b[key]) === 'object' && b[key] !== null) {
-              a[key] = deepExtend(a[key], b[key]);
-            } else if (typeof b[key] !== 'undefined') {
-              a[key] = b[key];
+            if (key !== '__proto__') {
+              if ((0, _typeof2["default"])(b[key]) === 'object' && b[key] !== null) {
+                a[key] = deepExtend(a[key], b[key]);
+              } else if (typeof b[key] !== 'undefined') {
+                a[key] = b[key];
+              }
             }
@@ -84,0 +86,0 @@ }

package.json

 {
   "name": "@jalik/deep-extend",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "description": "A utility to merge deep objects.",
@@ -37,18 +37,18 @@ "license": "MIT",
   "dependencies": {
-    "@babel/runtime": "^7.12.5"
+    "@babel/runtime": "^7.14.0"
   },
   "devDependencies": {
-    "@babel/cli": "^7.12.10",
-    "@babel/core": "^7.12.10",
-    "@babel/plugin-transform-runtime": "^7.12.10",
-    "@babel/preset-env": "^7.12.11",
-    "acorn": "^8.0.4",
-    "ajv": "^7.0.3",
-    "eslint": "^7.18.0",
+    "@babel/cli": "^7.14.3",
+    "@babel/core": "^7.14.3",
+    "@babel/plugin-transform-runtime": "^7.14.3",
+    "@babel/preset-env": "^7.14.2",
+    "acorn": "^8.2.4",
+    "ajv": "^8.4.0",
+    "eslint": "^7.26.0",
     "eslint-config-airbnb-base": "^14.2.1",
-    "eslint-plugin-import": "^2.22.1",
-    "eslint-plugin-jest": "^24.1.3",
+    "eslint-plugin-import": "^2.23.2",
+    "eslint-plugin-jest": "^24.3.6",
     "jest": "^26.6.3",
-    "typescript": "^4.1.3"
+    "typescript": "^4.2.4"
   }
 }

src/deepExtend.js

@@ -61,6 +61,9 @@ /*
 
-            if (typeof b[key] === 'object' && b[key] !== null) {
-              a[key] = deepExtend(a[key], b[key]);
-            } else if (typeof b[key] !== 'undefined') {
-              a[key] = b[key];
+            // Avoid prototype pollution.
+            if (key !== '__proto__') {
+              if (typeof b[key] === 'object' && b[key] !== null) {
+                a[key] = deepExtend(a[key], b[key]);
+              } else if (typeof b[key] !== 'undefined') {
+                a[key] = b[key];
+              }
             }
@@ -67,0 +70,0 @@ }

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

9700

increased by2.99%

Lines of code

157

increased by3.29%

Dependency changes

• Updated@babel/runtime@^7.14.0