Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
dojo - npm Package Compare versions
Comparing version 1.16.4 to 1.16.5
@@ -95,3 +95,3 @@ define(["../global", "../has", "./config", "require", "module"], function(global, has, config, require, module){ | ||
| major: 1, minor: 16, patch: 4, flag: "", | ||
| major: 1, minor: 16, patch: 5, flag: "", | ||
| revision: rev ? rev[0] : NaN, | ||
@@ -98,0 +98,0 @@ toString: function(){ |
@@ -34,2 +34,6 @@ define(["./kernel", "../has", "../sniff"], function(dojo, has){ | ||
| var p = parts[i]; | ||
| // Fix for prototype pollution CVE-2021-23450 | ||
| if (p === '__proto__' || p === 'constructor') { | ||
| return; | ||
| } | ||
| if(!(p in context)){ | ||
@@ -36,0 +40,0 @@ if(create){ |
| { | ||
| "name": "dojo", | ||
| "version": "1.16.4", | ||
| "version": "1.16.5", | ||
| "directories": { | ||
@@ -14,3 +14,3 @@ "lib": "." | ||
| "sinon": "1.12.2", | ||
| "dojo": "1.16.4" | ||
| "dojo": "1.16.5" | ||
| }, | ||
@@ -17,0 +17,0 @@ "main": "main", |
@@ -65,2 +65,16 @@ define([ | ||
| assert.deepEqual(test, { foo: { bar: 'test' } }); | ||
| // CVE-2021-23450 tests | ||
| // Test that you can't set fields on Object.prototype itself. | ||
| const obj = {}; | ||
| lang.setObject("__proto__.vuln", "polluted!", obj); | ||
| assert.isUndefined("anything".vuln); | ||
| // Test that you can't set fields on Object.constructor itself. | ||
| lang.setObject("constructor.vuln", "polluted!", obj); | ||
| assert.isUndefined("anything".constructor.vuln); | ||
| // Test that you can still set normal fields in an obj. | ||
| lang.setObject("foo.bar", "value for normal field", obj); | ||
| assert.strictEqual(obj.foo.bar, "value for normal field"); | ||
| }, | ||
@@ -67,0 +81,0 @@ |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.01%
7222036
- Lines of code
- increased by0.01%
205876
No dependency changes