Advisories for Npm/Lodash.defaultsdeep package

2020

Prototype Pollution in lodash.defaultsdeep

Versions of lodash.defaultsdeep are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects. Update to or later.

2019

Prototype Pollution in lodash

Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {…}}} causing the addition or modification of an existing property that will exist on all objects.