Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prototype pollution in _.defaultsDeep #4336

Merged
merged 1 commit into from Jun 24, 2019
Merged

fix: prototype pollution in _.defaultsDeep #4336

merged 1 commit into from Jun 24, 2019

Conversation

Kirill89
Copy link

The PR is fixing a Prototype Pollution vulnerability in _.defaultsDeep.

You can see details about similar vulnerability here: https://snyk.io/vuln/SNYK-JS-LODASH-73638

@jsf-clabot
Copy link

jsf-clabot commented Jun 19, 2019
edited

CLA assistant check
All committers have signed the CLA.

@Kirill89 Kirill89 mentioned this pull request Jun 19, 2019
Merged
@jdalton jdalton added the bug label Jun 24, 2019
@jdalton jdalton merged commit 1f8ea07 into lodash:4.17.12-pre Jun 24, 2019
@jdalton
Copy link
Member

jdalton commented Jun 24, 2019

Thank you @Kirill89!

@ghost ghost mentioned this pull request Jul 3, 2019
Merged
@willdurand willdurand mentioned this pull request Jul 3, 2019
Merged
@benjie benjie mentioned this pull request Jul 4, 2019
Closed
@spencern spencern mentioned this pull request Jul 5, 2019
Merged
@falsyvalues
Copy link
Contributor

Lodash v4.17.13 was released yesterday.

@tylerlevine tylerlevine mentioned this pull request Jul 10, 2019
Merged
kocisov added a commit to kocisov/clai that referenced this pull request Jul 10, 2019
@kocisov
upgrade lodash
be13d34 
lodash/lodash#4336
mearns added a commit to mearns/tracking-promise that referenced this pull request Jul 11, 2019
@mearns
Update lodash for prototype pollution vulnerability
7ca8be2 
lodash/lodash#4336
dshoreman added a commit to dshoreman/servidor that referenced this pull request Jul 11, 2019
@dshoreman
🚨 [security] Update lodash: 4.17.11 → 4.17.14 (patch) (#82)
02e747f 
🚨 [security] Update lodash: 4.17.11 → 4.17.14 (patch)

Advisory: CVE-2019-10744
Disclosed: July 10, 2019
URL: lodash/lodash#4336
@mileslane mileslane mentioned this pull request Jul 11, 2019
Closed
@MichaelWalker-git MichaelWalker-git mentioned this pull request Jul 11, 2019
Merged
adamansky added a commit to Softmotions/ejdb that referenced this pull request Jul 11, 2019
@adamansky
* ejdb2_node (1.0.4)
c221086 
   fixed CVE-2019-10744 lodash/lodash#4336
blundin added a commit to blundin/brianlundin.com that referenced this pull request Jul 11, 2019
@blundin
fixing security vulnerability: lodash/lodash#4336
282e4df
emizzle pushed a commit to emizzle/vue-cli that referenced this pull request Jul 11, 2019
fix(@vue/cli-service): Update lodash.defaultsdeep
17845f1 
Update `lodash.defaultsdeep` to version `^4.6.1`.

This is causing a high severity vulnerability in our repo.

Fixed in lodash/lodash#4336.
emizzle pushed a commit to emizzle/vue-cli that referenced this pull request Jul 11, 2019
fix(@vue/cli-service): Update lodash.defaultsdeep
ed34b96 
Update `lodash.defaultsdeep` to version `^4.6.1`.

This is causing a high severity vulnerability in our repo.

Fixed in lodash/lodash#4336.
@emizzle emizzle mentioned this pull request Jul 11, 2019
Merged
zjm724 added a commit to zjm724/udemy-course-burger-builder that referenced this pull request Jul 11, 2019
@zjm724
update lodash.template fix in lodash/lodash#4336
47645f0
danwild added a commit to onaci/leaflet-velocity that referenced this pull request Jul 11, 2019
@danwild
security patches for build deps
0c333d1 
lodash/lodash#4336
emizzle pushed a commit to emizzle/vue-cli that referenced this pull request Jul 11, 2019
fix(@vue/cli-service): Update lodash.defaultsdeep
bb51a67 
Update `lodash.defaultsdeep` to version `^4.6.1`.

This is causing a high severity vulnerability in our repo.

Fixed in lodash/lodash#4336.
@owenvoke owenvoke mentioned this pull request Jul 11, 2019
Merged
4 tasks
foosinn added a commit to bitsbeats/hub that referenced this pull request Jul 11, 2019
@foosinn
security fix CVE-2019-10744
35c1d26 
see lodash/lodash#4336
@evq evq mentioned this pull request Jul 11, 2019
Merged
@lucasfeliciano lucasfeliciano mentioned this pull request Jul 11, 2019
Merged
@karlhorky karlhorky mentioned this pull request Jul 11, 2019
Closed
leothekim pushed a commit to trialspark/enzyme-context that referenced this pull request Jul 15, 2019
Update lodash.merge to 4.6.2 (#27)
db5ee51 
To address a security vulnerability:
lodash/lodash#4336
andrew-jung added a commit to sdelements/material-ui that referenced this pull request Jul 15, 2019
@andrew-jung
Update package.json
f2ae5bf 
Update lodash.merge to ^4.6.2 (from ^4.6.0)

https://github.com/lodash/lodash/issues/4348
lodash/lodash#4336
@andrew-jung andrew-jung mentioned this pull request Jul 15, 2019
Closed
@dannypaz dannypaz mentioned this pull request Jul 15, 2019
Merged
ricmoo added a commit to ethers-io/ethers.js that referenced this pull request Jul 15, 2019
@ricmoo
Updated package-lock for lodash security advisory; the package is onl…
d719064 
…y a development dependency, so no urgent need to publish, just for developers (lodash/lodash#4336).
ricmoo added a commit to ricmoo/Takoyaki that referenced this pull request Jul 15, 2019
@ricmoo
Updated security advisory; only devDependency, so not urgent, just fo…
888941f 
…r developers (lodash/lodash#4336).
@pastelmind pastelmind mentioned this pull request Jul 16, 2019
Merged
@kenshin-samourai kenshin-samourai mentioned this pull request Jul 16, 2019
Merged
brophdawg11 added a commit to brophdawg11/state-machine that referenced this pull request Jul 16, 2019
@brophdawg11
Pin lodash to >=4.17.13 for security reasons
26e8d70 
See:
 - lodash/lodash#4336
 - https://snyk.io/vuln/SNYK-JS-LODASH-73638
@radu-matei radu-matei mentioned this pull request Jul 17, 2019
Merged
kennyadsl added a commit to nebulab/solidus that referenced this pull request Jul 17, 2019
@kennyadsl
Bump lodash for a security vulnerability
3cca7ff 
CVE-2019-10744
lodash/lodash#4336

This is not critical since we only use lodash in development
@kennyadsl kennyadsl mentioned this pull request Jul 17, 2019
Merged
2 tasks
@lodash lodash locked and limited conversation to collaborators Jul 17, 2019
ozgurgunes added a commit to ozgurgunes/Sketch-Case-Converter that referenced this pull request Aug 1, 2019
@ozgurgunes
Fixes lodash/lodash#4336
9ef1100
ozgurgunes added a commit to ozgurgunes/Sketch-Symbol-States that referenced this pull request Aug 1, 2019
@ozgurgunes
fixes lodash/lodash#4336
6b66a37
ozgurgunes added a commit to ozgurgunes/Sketch-Overrides-Manager that referenced this pull request Aug 1, 2019
@ozgurgunes
fixes lodash/lodash#4336
105d9f3
ozgurgunes added a commit to ozgurgunes/Sketch-Layer-Comps that referenced this pull request Aug 1, 2019
@ozgurgunes
fixes lodash/lodash#4336
1bd0cce
ozgurgunes added a commit to ozgurgunes/Sketch-Turkish-Data that referenced this pull request Aug 1, 2019
@ozgurgunes
fixes lodash/lodash#4336
3258531
egalano added a commit to INFURA/devp2p-network that referenced this pull request Aug 6, 2019
@egalano
Lodash sec fix lodash/lodash#4336
8efb124
egalano added a commit to INFURA/devp2p-network that referenced this pull request Aug 6, 2019
@egalano
Lodash sec fix lodash/lodash#4336 (#14)
940b955
@lodash lodash deleted a comment from Kirill89 Nov 16, 2021
@lodash lodash deleted a comment from KrayzeeKev Nov 16, 2021
@lodash lodash deleted a comment from MRhyne1931 Nov 16, 2021
@lodash lodash deleted a comment from luke-perry Nov 16, 2021
@lodash lodash deleted a comment from jagij Nov 16, 2021
@lodash lodash deleted a comment from ChristianMurphy Nov 16, 2021
@lodash lodash deleted a comment from patrick-ausderau Nov 16, 2021
@lodash lodash deleted a comment from dayknchung Nov 16, 2021
@jdalton jdalton added issue bankruptcy Closing the issue/PR to start fresh and removed issue bankruptcy Closing the issue/PR to start fresh labels Sep 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Kirill89 @jsf-clabot @jdalton @falsyvalues