Comparing lodash@4.17.23...lodash@4.18.0 • npm-diff.app 📦🔃

       if (isArray(iteratee)) {
         return function(value) {
           return baseGet(value, iteratee.length === 1 ? iteratee[0] : iteratee);
+        }
+        };
+      }
       return iteratee;
     });

 function baseUnset(object, path) {
   path = castPath(path, object);
+  // Prevent prototype pollution, see: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+  // Prevent prototype pollution:
+  // https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+  // https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
+  // https://github.com/lodash/lodash/security/advisories/GHSA-w36w-cm3g-pc62
   var index = -1,
       length = path.length;
     return true;
+  }
+  var isRootPrimitive = object == null || (typeof object !== 'object' && typeof object !== 'function');
   while (++index < length) {
+    var key = path[index];
+    var key = toKey(path[index]);
+    // skip non-string keys (e.g., Symbols, numbers)
+    if (typeof key !== 'string') {
+      continue;
+    }
     // Always block "__proto__" anywhere in the path if it's not expected
     if (key === '__proto__' && !hasOwnProperty.call(object, '__proto__')) {
       return false;
+    }
+    // Block "constructor.prototype" chains
+    if (key === 'constructor' &&
+        (index + 1) < length &&
+        typeof path[index + 1] === 'string' &&
+        path[index + 1] === 'prototype') {
+      // Allow ONLY when the path starts at a primitive root, e.g., _.unset(0, 'constructor.prototype.a')
+      if (isRootPrimitive && index === 0) {
+        continue;
+      }
+    // Block constructor/prototype as non-terminal traversal keys to prevent
+    // escaping the object graph into built-in constructors and prototypes.
+    if ((key === 'constructor' || key === 'prototype') && index < length - 1) {
       return false;
+    }
+  }

  * @name has
  * @memberOf SetCache
  * @param {*} value The value to search for.
+ * @returns {number} Returns `true` if `value` is found, else `false`.
+ * @returns {boolean} Returns `true` if `value` is found, else `false`.
  */
 function setCacheHas(value) {
   return this.__data__.has(value);

 /**
  * Creates an array with all falsey values removed. The values `false`, `null`,
+ * `0`, `""`, `undefined`, and `NaN` are falsey.
+ * `0`, `-0`, `0n`, `""`, `undefined`, and `NaN` are falsy.
+ *
  * @static
  * @memberOf _

 /**
  * @license
  * Lodash (Custom Build) <https://lodash.com/>
+ * Build: `lodash core -o ./dist/lodash.core.js`
+ * Build: `lodash core -o ./core.js`
  * Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
  * Released under MIT license <https://lodash.com/license>
  * Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>
   var undefined;
   /** Used as the semantic version number. */
+  var VERSION = '4.17.23';
+  var VERSION = '4.18.0';
   /** Error message constants. */
   var FUNC_ERROR_TEXT = 'Expected a function';
   /**
    * Creates an array with all falsey values removed. The values `false`, `null`,
+   * `0`, `""`, `undefined`, and `NaN` are falsey.
+   * `0`, `-0`, `0n`, `""`, `undefined`, and `NaN` are falsy.
+   *
    * @static
    * @memberOf _

Comparing
`lodash@4.17.23`

Comparing
`lodash@4.17.23`

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

_baseOrderBy.js +++1---1

_baseUnset.js +++8---20

_setCacheHas.js +++1---1

compact.js +++1---1

core.js +++3---3

fromPairs.js +++1---1

lodash.js +++39---27

random.js +++9---0

template.js +++15---5

templateSettings.js +++4---0

package.json +++1---1

README.md +++2---2

+++0---0

Packagephobia

_baseOrderBy.js +++1---1

_baseUnset.js +++8---20

_setCacheHas.js +++1---1

compact.js +++1---1

core.js +++3---3

fromPairs.js +++1---1

lodash.js +++39---27

random.js +++9---0

template.js +++15---5

templateSettings.js +++4---0

package.json +++1---1

README.md +++2---2

Bundlephobia

Source

@@ -20,7 +20,7 @@
20	20
21	21	while (++index < length) {
22	22	var pair = pairs[index];
23		result[pair[0]] = pair[1];
	23	baseAssignValue(result, pair[0], pair[1]);
24	24	}
25	25	return result;
26	26	}

  * **Note:** JavaScript follows the IEEE-754 standard for resolving
  * floating-point values which can produce unexpected results.
+ *
+ * **Note:** If `lower` is greater than `upper`, the values are swapped.
+ *
  * @static
  * @memberOf _
  * @since 0.7.0
  * _.random(0, 5);
  * // => an integer between 0 and 5
+ *
+ * // when lower is greater than upper the values are swapped
+ * _.random(5, 0);
+ * // => an integer between 0 and 5
+ *
  * _.random(5);
  * // => also an integer between 0 and 5
+ *
+ * _.random(-5);
+ * // => an integer between -5 and 0
+ *
  * _.random(5, true);
  * // => a floating-point number between 0 and 5
+ *

+var assignInWith = require('./assignInWith'),
+    attempt = require('./attempt'),
+var attempt = require('./attempt'),
     baseValues = require('./_baseValues'),
     customDefaultsAssignIn = require('./_customDefaultsAssignIn'),
     escapeStringChar = require('./_escapeStringChar'),
     toString = require('./toString');
 /** Error message constants. */
+var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`';
+var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`',
+    INVALID_TEMPL_IMPORTS_ERROR_TEXT = 'Invalid `imports` option passed into `_.template`';
 /** Used to match empty string literals in compiled template source. */
 var reEmptyStringLeading = /\b__p \+= '';/g,
  * properties may be accessed as free variables in the template. If a setting
  * object is given, it takes precedence over `_.templateSettings` values.
+ *
+ * **Security:** `_.template` is insecure and should not be used. It will be
+ * removed in Lodash v5. Avoid untrusted input. See
+ * [threat model](https://github.com/lodash/lodash/blob/main/threat-model.md).
+ *
  * **Note:** In the development build `_.template` utilizes
  * [sourceURLs](http://www.html5rocks.com/en/tutorials/developertools/sourcemaps/#toc-sourceurl)
  * for easier debugging.
     options = undefined;
+  }
   string = toString(string);
+  options = assignInWith({}, options, settings, customDefaultsAssignIn);
+  options = assignWith({}, options, settings, customDefaultsAssignIn);
+  var imports = assignInWith({}, options.imports, settings.imports, customDefaultsAssignIn),
+  var imports = assignWith({}, options.imports, settings.imports, customDefaultsAssignIn),
       importsKeys = keys(imports),
       importsValues = baseValues(imports, importsKeys);
+  arrayEach(importsKeys, function(key) {
+    if (reForbiddenIdentifierChars.test(key)) {
+      throw new Error(INVALID_TEMPL_IMPORTS_ERROR_TEXT);
+    }
+  });
   var isEscaping,
       isEvaluating,
       index = 0,

  * embedded Ruby (ERB) as well as ES2015 template strings. Change the
  * following template settings to use alternative delimiters.
+ *
+ * **Security:** See
+ * [threat model](https://github.com/lodash/lodash/blob/main/threat-model.md)
+ * — `_.template` is insecure and will be removed in v5.
+ *
  * @static
  * @memberOf _
  * @type {Object}

+{
   "name": "lodash",
+  "version": "4.17.23",
+  "version": "4.18.0",
   "description": "Lodash modular utilities.",
   "keywords": "modules, stdlib, util",
   "homepage": "https://lodash.com/",

+# lodash v4.17.23
+# lodash v4.18.0
 The [Lodash](https://lodash.com/) library exported as [Node.js](https://nodejs.org/) modules.
 var curryN = require('lodash/fp/curryN');
 ```
+See the [package source](https://github.com/lodash/lodash/tree/4.17.23-npm) for more details.
+See the [package source](https://github.com/lodash/lodash/tree/4.18.0-npm) for more details.
 **Note:**<br>
 Install [n_](https://www.npmjs.com/package/n_) for Lodash use in the Node.js < 6 REPL.

Comparinglodash@4.17.23

Comparinglodash@4.17.23

Source

npm diff

Options

Bundlephobia

Bundlephobia

Packagephobia

Packagephobia

_baseOrderBy.js +++1---1

_baseUnset.js +++8---20

_setCacheHas.js +++1---1

compact.js +++1---1

core.js +++3---3

fromPairs.js +++1---1

lodash.js +++39---27

random.js +++9---0

template.js +++15---5

templateSettings.js +++4---0

package.json +++1---1

README.md +++2---2

+++0---0

Packagephobia

_baseOrderBy.js +++1---1

_baseUnset.js +++8---20

_setCacheHas.js +++1---1

compact.js +++1---1

core.js +++3---3

fromPairs.js +++1---1

lodash.js +++39---27

random.js +++9---0

template.js +++15---5

templateSettings.js +++4---0

package.json +++1---1

README.md +++2---2

Bundlephobia

Source

Comparing
`lodash@4.17.23`

Comparing
`lodash@4.17.23`