Headline
CVE-2022-2246: Merge pull request from GHSA-8j79-hfj5-f2xm · Clever/underscore.deep@b5e109a
Prototype Pollution in GitHub repository clever/underscore.deep prior to 0.5.3.
@@ -20,3 +20,13 @@ describe '_.deepFromFlat’, -> _(tests).each (test) -> it "deepens #{JSON.stringify test.input}", -> assert.deepEqual _.deepFromFlat(test.input), test.output
it "does not merge special `Object` properties", -> _.deepFromFlat({ "__proto__.polluted1": true }) _.deepFromFlat({ "constructor.prototype.polluted2": true }) p1 = {}.polluted1 p2 = {}.polluted2 assert.strictEqual(p1, undefined) assert.strictEqual(p2, undefined) delete Object.prototype.polluted1 delete Object.prototype.polluted2