-
-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prototype Pollution vulnerabilities #114
Comments
Gonna check if latest lodash.merge resolves this issue
…On Sun 5 May, 2019, 7:49 PM Anand Chowdhary, ***@***.***> wrote:
The dependency lodash.merge has a high severity vulnerability.
Source: https://app.snyk.io/vuln/SNYK-JS-LODASHMERGE-173732
Seems like using lodash instead of lodash.merge is safer:
***@***.***
<ztoben/assets-webpack-plugin@9632e0c>
(Is it?)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#114>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AAKD7STTGIUE26FW5F4KT6TPT3UHBANCNFSM4HK3LL5Q>
.
|
lodash.merge doesn't seem to be getting updated anymore. Using lodash instead would have a big impact on bundle size. 😢 |
@championswimmer the issue you had with deepmerge was arrays were concat'ed right? That seems like a fixable issue. Did you have any other issues? I'm helping maintain ngrx-store-localstorage and facing the same issue. I went with lodash specifically because I saw you had trouble with deepmerge. |
Yes it was the array concat issue
…On Sat 25 May, 2019, 7:53 PM David Burke, ***@***.***> wrote:
@championswimmer <https://github.com/championswimmer> the issue you had
with deepmerge was arrays were concat'ed right? That seems like a fixable
issue <https://github.com/TehShrike/deepmerge#overwrite-array>.
Did you have any other issues? I'm helping maintain
ngrx-store-localstorage and facing the same issue. I went with lodash
specifically because I saw you had trouble with deepmerge.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#114?email_source=notifications&email_token=AAKD7SSCRWCA66IYYCHTRALPXFDXBA5CNFSM4HK3LL52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWHSYOA#issuecomment-495922232>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAKD7SSTXTOITZF267HLU3TPXFDXBANCNFSM4HK3LL5Q>
.
|
The dependency
lodash.merge
has a high severity vulnerability.Source: https://app.snyk.io/vuln/SNYK-JS-LODASHMERGE-173732
Seems like using
lodash
instead oflodash.merge
is safer: ztoben/assets-webpack-plugin@9632e0c (Is it?)The text was updated successfully, but these errors were encountered: