Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: prototype pollution in _.defaultsDeep #4336

Merged
merged 1 commit into from Jun 24, 2019
Merged

fix: prototype pollution in _.defaultsDeep #4336

merged 1 commit into from Jun 24, 2019

Conversation

@Kirill89
Copy link

@Kirill89 Kirill89 commented Jun 19, 2019

The PR is fixing a Prototype Pollution vulnerability in _.defaultsDeep.

You can see details about similar vulnerability here: https://snyk.io/vuln/SNYK-JS-LODASH-73638

@jsf-clabot
Copy link

@jsf-clabot jsf-clabot commented Jun 19, 2019

CLA assistant check
All committers have signed the CLA.

Loading

@jdalton jdalton added the bug label Jun 24, 2019
@jdalton jdalton merged commit 1f8ea07 into lodash:4.17.12-pre Jun 24, 2019
1 check passed
Loading
@jdalton
Copy link
Member

@jdalton jdalton commented Jun 24, 2019

Thank you @Kirill89!

Loading

@falsyvalues
Copy link
Member

@falsyvalues falsyvalues commented Jul 10, 2019

Lodash v4.17.13 was released yesterday.

Loading

kocisov added a commit to kocisov/clai that referenced this issue Jul 10, 2019
mearns added a commit to mearns/tracking-promise that referenced this issue Jul 11, 2019
dshoreman added a commit to dshoreman/servidor that referenced this issue Jul 11, 2019
🚨 [security] Update lodash: 4.17.11 → 4.17.14 (patch)

Advisory: CVE-2019-10744
Disclosed: July 10, 2019
URL: lodash/lodash#4336
adamansky added a commit to Softmotions/ejdb that referenced this issue Jul 11, 2019
blundin added a commit to blundin/brianlundin.com that referenced this issue Jul 11, 2019
emizzle added a commit to emizzle/vue-cli that referenced this issue Jul 11, 2019
Update `lodash.defaultsdeep` to version `^4.6.1`.

This is causing a high severity vulnerability in our repo.

Fixed in lodash/lodash#4336.
emizzle added a commit to emizzle/vue-cli that referenced this issue Jul 11, 2019
Update `lodash.defaultsdeep` to version `^4.6.1`.

This is causing a high severity vulnerability in our repo.

Fixed in lodash/lodash#4336.
zjm724 added a commit to zjm724/udemy-course-burger-builder that referenced this issue Jul 11, 2019
danwild added a commit to onaci/leaflet-velocity that referenced this issue Jul 11, 2019
emizzle added a commit to emizzle/vue-cli that referenced this issue Jul 11, 2019
Update `lodash.defaultsdeep` to version `^4.6.1`.

This is causing a high severity vulnerability in our repo.

Fixed in lodash/lodash#4336.
foosinn added a commit to bitsbeats/hub that referenced this issue Jul 11, 2019
kengogo added a commit to indiegogo/vue-sfc-analyzer-webpack-plugin that referenced this issue Jul 15, 2019
kengogo added a commit to indiegogo/vuex-module-validatable-state that referenced this issue Jul 15, 2019
leothekim pushed a commit to trialspark/enzyme-context that referenced this issue Jul 15, 2019
To address a security vulnerability:
lodash/lodash#4336
andrew-jung added a commit to sdelements/material-ui that referenced this issue Jul 15, 2019
ricmoo added a commit to ethers-io/ethers.js that referenced this issue Jul 15, 2019
…y a development dependency, so no urgent need to publish, just for developers (lodash/lodash#4336).
ricmoo added a commit to ricmoo/Takoyaki that referenced this issue Jul 15, 2019
kennyadsl added a commit to nebulab/solidus that referenced this issue Jul 17, 2019
CVE-2019-10744
lodash/lodash#4336

This is not critical since we only use lodash in development
@lodash lodash locked and limited conversation to collaborators Jul 17, 2019
ozgurgunes added a commit to ozgurgunes/Sketch-Case-Converter that referenced this issue Aug 1, 2019
ozgurgunes added a commit to ozgurgunes/Sketch-Symbol-States that referenced this issue Aug 1, 2019
ozgurgunes added a commit to ozgurgunes/Sketch-Overrides-Manager that referenced this issue Aug 1, 2019
ozgurgunes added a commit to ozgurgunes/Sketch-Layer-Comps that referenced this issue Aug 1, 2019
ozgurgunes added a commit to ozgurgunes/Sketch-Turkish-Data that referenced this issue Aug 1, 2019
egalano added a commit to INFURA/devp2p-network that referenced this issue Aug 6, 2019
egalano added a commit to INFURA/devp2p-network that referenced this issue Aug 6, 2019
@lodash lodash deleted a comment from Kirill89 Nov 16, 2021
@lodash lodash deleted a comment from KrayzeeKev Nov 16, 2021
@lodash lodash deleted a comment from MRhyne1931 Nov 16, 2021
@lodash lodash deleted a comment from luke-perry Nov 16, 2021
@lodash lodash deleted a comment from jagij Nov 16, 2021
@lodash lodash deleted a comment from ChristianMurphy Nov 16, 2021
@lodash lodash deleted a comment from patrick-ausderau Nov 16, 2021
@lodash lodash deleted a comment from dayknchung Nov 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants