Security News
Another Round of TEA Protocol Spam Floods npm, But It’s Not a Worm
Recent coverage mislabels the latest TEA protocol spam as a worm. Here’s what’s actually happening.
By Philipp Burckhardt - Nov 14, 2025
deepmerge
~550B gzipped, ~1.0kB minified
Merge the enumerable attributes of two objects deeply.
example
var x = {
foo: { bar: 3 },
array: [{
does: 'work',
too: [ 1, 2, 3 ]
}]
}
var y = {
foo: { baz: 4 },
quux: 5,
array: [{
does: 'work',
too: [ 4, 5, 6 ]
}, {
really: 'yes'
}]
}
var expected = {
foo: {
bar: 3,
baz: 4
},
array: [{
does: 'work',
too: [ 1, 2, 3, 4, 5, 6 ]
}, {
really: 'yes'
}],
quux: 5
}
merge(x, y) // => expected
methods
var merge = require('deepmerge')
merge(x, y, [options])
Merge two objects x and y deeply, returning a new merged object with the
elements from both x and y.
If an element at the same key is present for both x and y, the value from
y will appear in the result.
Merging creates a new object, so that neither x or y are be modified. However, child objects on x or y are copied over - if you to copy all values, you must pass true to the clone option.
merge.all(arrayOfObjects, [options])
Merges two or more objects into a single result object.
var x = { foo: { bar: 3 } }
var y = { foo: { baz: 4 } }
var z = { bar: 'yay!' }
var expected = { foo: { bar: 3, baz: 4 }, bar: 'yay!' }
merge.all([x, y, z]) // => expected
options
arrayMerge
The merge will also merge arrays and array values by default. However, there are nigh-infinite valid ways to merge arrays, and you may want to supply your own. You can do this by passing an arrayMerge function as an option.
function concatMerge(destinationArray, sourceArray, options) {
destinationArray // => [1, 2, 3]
sourceArray // => [3, 2, 1]
options // => { arrayMerge: concatMerge }
return destinationArray.concat(sourceArray)
}
merge([1, 2, 3], [3, 2, 1], { arrayMerge: concatMerge }) // => [1, 2, 3, 3, 2, 1]
clone
Defaults to false. If clone is true then both x and y are recursively cloned as part of the merge.
install
With npm do:
npm install deepmerge
test
With npm do:
npm test
license
MIT
Other packages similar to deepmerge
lodash.merge
Lodash provides a merge function that can recursively merge own and inherited enumerable string keyed properties of source objects into the destination object. It's similar to deepmerge but is part of the larger lodash utility library.
extend
The extend package is a port of the jQuery.extend method that can deep copy both arrays and objects. It is less specialized than deepmerge and does not provide as many options for customizing the merge behavior.
object-assign-deep
This package offers functionality similar to Object.assign but with deep merging capabilities. It is a smaller and more focused utility compared to deepmerge, but it may not offer the same level of customization for array merging and other specific use cases.
FAQs
A library for deep (recursive) merging of Javascript objects
The npm package deepmerge receives a total of 40,852,754 weekly downloads. As such, deepmerge popularity was classified as popular.
We found that deepmerge demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 27 Jan 2017
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
PyPI Expands Trusted Publishing to GitLab Self-Managed as Adoption Passes 25 Percent
PyPI adds Trusted Publishing support for GitLab Self-Managed as adoption reaches 25% of uploads
By Sarah Gooding - Nov 14, 2025
Research
/Security News
Malicious Chrome Extension Exfiltrates Seed Phrases, Enabling Wallet Takeover
A malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions, enabling full wallet takeover.
By Kirill Boychenko - Nov 12, 2025