defaults-deep
defaults-deep copied to clipboard
fix: exclude `constructor.prototype`
Fix prototype pollution:
- fix https://www.npmjs.com/advisories/778
- fix https://hackerone.com/reports/380878 (CVE-2018-16486)
- add a test to prevent regressions
Related commit: c873f341327ad885ff4d0f23b3d3bca31b0343e5 (exclude __proto__
) in 2.4.0
Similar lodash fix: https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad