Skip to content

Commit a8a7147

Browse files
rtfpessoartfpessoa
authored
Merge pull request #217 from rtfpessoa/fix-merge-vuln
fix: Remove lodash.merge for merge
2 parents 7e9930b + 07f94ae commit a8a7147

File tree

3 files changed

+8
-10
lines changed

3 files changed

+8
-10
lines changed

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@
5656
"dependencies": {
5757
"diff": "^4.0.1",
5858
"hogan.js": "^3.0.2",
59-
"lodash.merge": "^4.6.1",
59+
"merge": "^1.2.1",
6060
"whatwg-fetch": "^3.0.0"
6161
},
6262
"devDependencies": {

src/utils.js

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
*/
77

88
(function() {
9-
var merge = require('lodash.merge');
9+
var merge = require('merge');
1010

1111
function Utils() {
1212
}
@@ -41,9 +41,7 @@
4141
};
4242

4343
Utils.prototype.safeConfig = function(cfg, defaultConfig) {
44-
var newCfg = {};
45-
merge(newCfg, defaultConfig, cfg);
46-
return newCfg;
44+
return merge.recursive(true, defaultConfig, cfg);
4745
};
4846

4947
module.exports.Utils = new Utils();

yarn.lock

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2227,11 +2227,6 @@ lodash.memoize@~3.0.3:
22272227
resolved "https://registry.yarnpkg.com/lodash.memoize/-/lodash.memoize-3.0.4.tgz#2dcbd2c287cbc0a55cc42328bd0c736150d53e3f"
22282228
integrity sha1-LcvSwofLwKVcxCMovQxzYVDVPj8=
22292229

2230-
lodash.merge@^4.6.1:
2231-
version "4.6.1"
2232-
resolved "https://registry.yarnpkg.com/lodash.merge/-/lodash.merge-4.6.1.tgz#adc25d9cb99b9391c59624f379fbba60d7111d54"
2233-
integrity sha512-AOYza4+Hf5z1/0Hztxpm2/xiPZgi/cjMqdnKTUWTBSKchJlxXXuUSxCCl8rJlf4g6yww/j6mA8nC8Hw/EZWxKQ==
2234-
22352230
lodash@^4.17.11, lodash@^4.17.4:
22362231
version "4.17.11"
22372232
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.11.tgz#b39ea6229ef607ecd89e2c8df12536891cac9b8d"
@@ -2291,6 +2286,11 @@ merge2@^1.2.3:
22912286
resolved "https://registry.yarnpkg.com/merge2/-/merge2-1.2.3.tgz#7ee99dbd69bb6481689253f018488a1b902b0ed5"
22922287
integrity sha512-gdUU1Fwj5ep4kplwcmftruWofEFt6lfpkkr3h860CXbAB9c3hGb55EOL2ali0Td5oebvW0E1+3Sr+Ur7XfKpRA==
22932288

2289+
merge@^1.2.1:
2290+
version "1.2.1"
2291+
resolved "https://registry.yarnpkg.com/merge/-/merge-1.2.1.tgz#38bebf80c3220a8a487b6fcfb3941bb11720c145"
2292+
integrity sha512-VjFo4P5Whtj4vsLzsYBu5ayHhoHJ0UqNm7ibvShmbmoz7tGi0vXaoJbGdB+GmDMLUdg8DpQXEIeVDAe8MaABvQ==
2293+
22942294
micromatch@^3.1.10, micromatch@^3.1.4:
22952295
version "3.1.10"
22962296
resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-3.1.10.tgz#70859bc95c9840952f359a068a3fc49f9ecfac23"

0 commit comments

Comments
 (0)