backport lodash/lodash@a01e4fa

sailshq · Aug 20, 2019 · a621444 · a621444
1 parent f2450c7
commit a621444
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -12,6 +12,12 @@
 // ### Tue Apr 3, 2018
 // I added a patch based on https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
 // in order to resolve https://hackerone.com/reports/310443
+// -@mikermcneil
+//
+// ### Mon Aug 19, 2018
+// I added a patch based on https://github.com/lodash/lodash/pull/4336/files
+// in order to resolve https://snyk.io/vuln/SNYK-JS-LODASH-73638
+// -@rachaelshaw
 //
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
@@ -639,17 +645,18 @@
 
   // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   // Patched from https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a#diff-001d0647fb00f8336795faccdec19a31R1249
+  // and https://github.com/lodash/lodash/pull/4336/commits/a01e4fa727e7294cb7b2845570ba96b206926790
   //```
   /**
-   * Gets the value at `key`, unless `key` is "__proto__".
+   * Gets the value at `key`, unless `key` is "__proto__" or "constructor".
    *
    * @private
    * @param {Object} object The object to query.
    * @param {string} key The key of the property to get.
    * @returns {*} Returns the property value.
    */
   function safeGet(object, key) {
-    return key == '__proto__'
+    return key == '__proto__' || (key === 'constructor' && typeof object[key] === 'function')
       ? undefined
       : object[key];
   }