Comparing lodash@4.17.23...lodash@4.18.0 • npm-diff.app 📦🔃

@@ -23,7 +23,7 @@
23	if (isArray(iteratee)) {	23	if (isArray(iteratee)) {
24	return function(value) {	24	return function(value) {
25	return baseGet(value, iteratee.length === 1 ? iteratee[0] : iteratee);	25	return baseGet(value, iteratee.length === 1 ? iteratee[0] : iteratee);
26	}	26	};
27	}	27	}
28	return iteratee;	28	return iteratee;
29	});	29	});

 function baseUnset(object, path) {
   path = castPath(path, object);
+  // Prevent prototype pollution:
+  // https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+  // https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
+  // https://github.com/lodash/lodash/security/advisories/GHSA-w36w-cm3g-pc62
   var index = -1,
       length = path.length;
     return true;
+  }
+  var isRootPrimitive = object == null || (typeof object !== 'object' && typeof object !== 'function');
   while (++index < length) {
+    var key = toKey(path[index]);
+    // skip non-string keys (e.g., Symbols, numbers)
+    if (typeof key !== 'string') {
+      continue;
+    }
     // Always block "__proto__" anywhere in the path if it's not expected
     if (key === '__proto__' && !hasOwnProperty.call(object, '__proto__')) {
       return false;
+    }
+    // Block "constructor.prototype" chains
+    if (key === 'constructor' &&
+        (index + 1) < length &&
+        typeof path[index + 1] === 'string' &&
+        path[index + 1] === 'prototype') {
+      // Allow ONLY when the path starts at a primitive root, e.g., _.unset(0, 'constructor.prototype.a')
+      if (isRootPrimitive && index === 0) {
+        continue;
+      }
+    // Block constructor/prototype as non-terminal traversal keys to prevent
+    // escaping the object graph into built-in constructors and prototypes.
+    if ((key === 'constructor' || key === 'prototype') && index < length - 1) {
       return false;
+    }
+  }

@@ -5,7 +5,7 @@
5	* @name has	5	* @name has
6	* @memberOf SetCache	6	* @memberOf SetCache
7	* @param {*} value The value to search for.	7	* @param {*} value The value to search for.
8	* @returns {number} Returns `true` if `value` is found, else `false`.	8	* @returns {boolean} Returns `true` if `value` is found, else `false`.
9	*/	9	*/
10	function setCacheHas(value) {	10	function setCacheHas(value) {
11	return this.__data__.has(value);	11	return this.__data__.has(value);

@@ -1,6 +1,6 @@
1	/**	1	/**
2	* Creates an array with all falsey values removed. The values `false`, `null`,	2	* Creates an array with all falsey values removed. The values `false`, `null`,
3	* `0`, `""`, `undefined`, and `NaN` are falsey.	3	* `0`, `-0`, `0n`, `""`, `undefined`, and `NaN` are falsy.
4	*	4	*
5	* @static	5	* @static
6	* @memberOf _	6	* @memberOf _

@@ -1,7 +1,7 @@
1	/**	1	/**
2	* @license	2	* @license
3	* Lodash (Custom Build) <https://lodash.com/>	3	* Lodash (Custom Build) <https://lodash.com/>
4	* Build: `lodash core -o ./dist/lodash.core.js`	4	* Build: `lodash core -o ./core.js`
5	* Copyright OpenJS Foundation and other contributors <https://openjsf.org/>	5	* Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
6	* Released under MIT license <https://lodash.com/license>	6	* Released under MIT license <https://lodash.com/license>
7	* Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>	7	* Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>
@@ -13,7 +13,7 @@
13	var undefined;	13	var undefined;
14		14
15	/** Used as the semantic version number. */	15	/** Used as the semantic version number. */
16	var VERSION = '4.17.23';	16	var VERSION = '4.18.0';
17		17
18	/** Error message constants. */	18	/** Error message constants. */
19	var FUNC_ERROR_TEXT = 'Expected a function';	19	var FUNC_ERROR_TEXT = 'Expected a function';
@@ -1477,7 +1477,7 @@
1477		1477
1478	/**	1478	/**
1479	* Creates an array with all falsey values removed. The values `false`, `null`,	1479	* Creates an array with all falsey values removed. The values `false`, `null`,
1480	* `0`, `""`, `undefined`, and `NaN` are falsey.	1480	* `0`, `-0`, `0n`, `""`, `undefined`, and `NaN` are falsy.
1481	*	1481	*
1482	* @static	1482	* @static
1483	* @memberOf _	1483	* @memberOf _

Comparing
`lodash@4.17.23`

Comparing
`lodash@4.17.23`

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

_baseOrderBy.js +++1---1

_baseUnset.js +++8---20

_setCacheHas.js +++1---1

compact.js +++1---1

core.js +++3---3

fromPairs.js +++1---1

lodash.js +++39---27

random.js +++9---0

template.js +++15---5

templateSettings.js +++4---0

package.json +++1---1

README.md +++2---2

+++0---0

Packagephobia

Bundlephobia

_baseOrderBy.js +++1---1

_baseUnset.js +++8---20

_setCacheHas.js +++1---1

compact.js +++1---1

core.js +++3---3

fromPairs.js +++1---1

lodash.js +++39---27

random.js +++9---0

template.js +++15---5

templateSettings.js +++4---0

package.json +++1---1

README.md +++2---2

Source

@@ -20,7 +20,7 @@
20		20
21	while (++index < length) {	21	while (++index < length) {
22	var pair = pairs[index];	22	var pair = pairs[index];
23	result[pair[0]] = pair[1];	23	baseAssignValue(result, pair[0], pair[1]);
24	}	24	}
25	return result;	25	return result;
26	}	26	}

  * **Note:** JavaScript follows the IEEE-754 standard for resolving
  * floating-point values which can produce unexpected results.
  *
+ * **Note:** If `lower` is greater than `upper`, the values are swapped.
+ *
  * @static
  * @memberOf _
  * @since 0.7.0
  * _.random(0, 5);
  * // => an integer between 0 and 5
  *
+ * // when lower is greater than upper the values are swapped
+ * _.random(5, 0);
+ * // => an integer between 0 and 5
+ *
  * _.random(5);
  * // => also an integer between 0 and 5
  *
+ * _.random(-5);
+ * // => an integer between -5 and 0
+ *
  * _.random(5, true);
  * // => a floating-point number between 0 and 5
  *

+var assignInWith = require('./assignInWith'),
+var attempt = require('./attempt'),
     baseValues = require('./_baseValues'),
     customDefaultsAssignIn = require('./_customDefaultsAssignIn'),
     escapeStringChar = require('./_escapeStringChar'),
     toString = require('./toString');
 /** Error message constants. */
+var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`',
+    INVALID_TEMPL_IMPORTS_ERROR_TEXT = 'Invalid `imports` option passed into `_.template`';
 /** Used to match empty string literals in compiled template source. */
 var reEmptyStringLeading = /\b__p \+= '';/g,
  * properties may be accessed as free variables in the template. If a setting
  * object is given, it takes precedence over `_.templateSettings` values.
+ *
+ * **Security:** `_.template` is insecure and should not be used. It will be
+ * removed in Lodash v5. Avoid untrusted input. See
+ * [threat model](https://github.com/lodash/lodash/blob/main/threat-model.md).
+ *
  * **Note:** In the development build `_.template` utilizes
  * [sourceURLs](http://www.html5rocks.com/en/tutorials/developertools/sourcemaps/#toc-sourceurl)
  * for easier debugging.
     options = undefined;
+  }
   string = toString(string);
+  options = assignWith({}, options, settings, customDefaultsAssignIn);
+  var imports = assignWith({}, options.imports, settings.imports, customDefaultsAssignIn),
       importsKeys = keys(imports),
       importsValues = baseValues(imports, importsKeys);
+  arrayEach(importsKeys, function(key) {
+    if (reForbiddenIdentifierChars.test(key)) {
+      throw new Error(INVALID_TEMPL_IMPORTS_ERROR_TEXT);
+    }
+  });
   var isEscaping,
       isEvaluating,
       index = 0,

  * embedded Ruby (ERB) as well as ES2015 template strings. Change the
  * following template settings to use alternative delimiters.
  *
+ * **Security:** See
+ * [threat model](https://github.com/lodash/lodash/blob/main/threat-model.md)
+ * — `_.template` is insecure and will be removed in v5.
+ *
  * @static
  * @memberOf _
  * @type {Object}

@@ -1,6 +1,6 @@
1	{	1	{
2	"name": "lodash",	2	"name": "lodash",
3	"version": "4.17.23",	3	"version": "4.18.0",
4	"description": "Lodash modular utilities.",	4	"description": "Lodash modular utilities.",
5	"keywords": "modules, stdlib, util",	5	"keywords": "modules, stdlib, util",
6	"homepage": "https://lodash.com/",	6	"homepage": "https://lodash.com/",

@@ -1,4 +1,4 @@
1	# lodash v4.17.23	1	# lodash v4.18.0
2		2
3	The [Lodash](https://lodash.com/) library exported as [Node.js](https://nodejs.org/) modules.	3	The [Lodash](https://lodash.com/) library exported as [Node.js](https://nodejs.org/) modules.
4		4
@@ -28,7 +28,7 @@
28	var curryN = require('lodash/fp/curryN');	28	var curryN = require('lodash/fp/curryN');
29	```	29	```
30		30
31	See the [package source](https://github.com/lodash/lodash/tree/4.17.23-npm) for more details.	31	See the [package source](https://github.com/lodash/lodash/tree/4.18.0-npm) for more details.
32		32
33	Note:<br>	33	Note:<br>
34	Install [n_](https://www.npmjs.com/package/n_) for Lodash use in the Node.js < 6 REPL.	34	Install [n_](https://www.npmjs.com/package/n_) for Lodash use in the Node.js < 6 REPL.

Comparinglodash@4.17.23

Comparinglodash@4.17.23

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

_baseOrderBy.js +++1---1

_baseUnset.js +++8---20

_setCacheHas.js +++1---1

compact.js +++1---1

core.js +++3---3

fromPairs.js +++1---1

lodash.js +++39---27

random.js +++9---0

template.js +++15---5

templateSettings.js +++4---0

package.json +++1---1

README.md +++2---2

+++0---0

Packagephobia

Bundlephobia

_baseOrderBy.js +++1---1

_baseUnset.js +++8---20

_setCacheHas.js +++1---1

compact.js +++1---1

core.js +++3---3

fromPairs.js +++1---1

lodash.js +++39---27

random.js +++9---0

template.js +++15---5

templateSettings.js +++4---0

package.json +++1---1

README.md +++2---2

Source

Comparing
`lodash@4.17.23`

Comparing
`lodash@4.17.23`