defaults-deep icon indicating copy to clipboard operation
defaults-deep copied to clipboard

Published 20 hours ago verified publisher icon jonschlinkert

fix: exclude `constructor.prototype`

Open pi0 opened this issue 5 years ago • 1 comments

Fix prototype pollution:

  • fix https://www.npmjs.com/advisories/778
  • fix https://hackerone.com/reports/380878 (CVE-2018-16486)
  • add a test to prevent regressions

Related commit: c873f341327ad885ff4d0f23b3d3bca31b0343e5 (exclude __proto__) in 2.4.0

Similar lodash fix: https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad

pi0 avatar Feb 07 '19 06:02 pi0