lodash
4.17.234.18.1
lodash.js~
lodash.jsModified+38−27
Index: package/lodash.js
===================================================================
--- package/lodash.js
+++ package/lodash.js
@@ -11,17 +11,18 @@
/** Used as a safe reference for `undefined` in pre-ES5 environments. */
var undefined;
/** Used as the semantic version number. */
- var VERSION = '4.17.23';
+ var VERSION = '4.18.1';
/** Used as the size to enable large array optimizations. */
var LARGE_ARRAY_SIZE = 200;
/** Error message constants. */
var CORE_ERROR_TEXT = 'Unsupported core-js use. Try https://npms.io/search?q=ponyfill.',
FUNC_ERROR_TEXT = 'Expected a function',
- INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`';
+ INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`',
+ INVALID_TEMPL_IMPORTS_ERROR_TEXT = 'Invalid `imports` option passed into `_.template`';
/** Used to stand-in for `undefined` hash values. */
var HASH_UNDEFINED = '__lodash_hash_undefined__';
@@ -1751,8 +1752,12 @@
* By default, the template delimiters used by lodash are like those in
* embedded Ruby (ERB) as well as ES2015 template strings. Change the
* following template settings to use alternative delimiters.
*
+ * **Security:** See
+ * [threat model](https://github.com/lodash/lodash/blob/main/threat-model.md)
+ * — `_.template` is insecure and will be removed in v5.
+ *
* @static
* @memberOf _
* @type {Object}
*/
@@ -2299,9 +2304,9 @@
* @private
* @name has
* @memberOf SetCache
* @param {*} value The value to search for.
- * @returns {number} Returns `true` if `value` is found, else `false`.
+ * @returns {boolean} Returns `true` if `value` is found, else `false`.
*/
function setCacheHas(value) {
return this.__data__.has(value);
}
@@ -4370,42 +4375,29 @@
*/
function baseUnset(object, path) {
path = castPath(path, object);
- // Prevent prototype pollution, see: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+ // Prevent prototype pollution:
+ // https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+ // https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
var index = -1,
length = path.length;
if (!length) {
return true;
}
- var isRootPrimitive = object == null || (typeof object !== 'object' && typeof object !== 'function');
-
while (++index < length) {
- var key = path[index];
+ var key = toKey(path[index]);
- // skip non-string keys (e.g., Symbols, numbers)
- if (typeof key !== 'string') {
- continue;
- }
-
// Always block "__proto__" anywhere in the path if it's not expected
if (key === '__proto__' && !hasOwnProperty.call(object, '__proto__')) {
return false;
}
- // Block "constructor.prototype" chains
- if (key === 'constructor' &&
- (index + 1) < length &&
- typeof path[index + 1] === 'string' &&
- path[index + 1] === 'prototype') {
-
- // Allow ONLY when the path starts at a primitive root, e.g., _.unset(0, 'constructor.prototype.a')
- if (isRootPrimitive && index === 0) {
- continue;
- }
-
+ // Block constructor/prototype as non-terminal traversal keys to prevent
+ // escaping the object graph into built-in constructors and prototypes.
+ if ((key === 'constructor' || key === 'prototype') && index < length - 1) {
return false;
}
}
@@ -6960,9 +6952,9 @@
}
/**
* Creates an array with all falsey values removed. The values `false`, `null`,
- * `0`, `""`, `undefined`, and `NaN` are falsey.
+ * `0`, `-0`, `0n`, `""`, `undefined`, and `NaN` are falsy.
*
* @static
* @memberOf _
* @since 0.1.0
@@ -7499,9 +7491,9 @@
result = {};
while (++index < length) {
var pair = pairs[index];
- result[pair[0]] = pair[1];
+ baseAssignValue(result, pair[0], pair[1]);
}
return result;
}
@@ -14159,8 +14151,10 @@
*
* **Note:** JavaScript follows the IEEE-754 standard for resolving
* floating-point values which can produce unexpected results.
*
+ * **Note:** If `lower` is greater than `upper`, the values are swapped.
+ *
* @static
* @memberOf _
* @since 0.7.0
* @category Number
@@ -14172,11 +14166,18 @@
*
* _.random(0, 5);
* // => an integer between 0 and 5
*
+ * // when lower is greater than upper the values are swapped
+ * _.random(5, 0);
+ * // => an integer between 0 and 5
+ *
* _.random(5);
* // => also an integer between 0 and 5
*
+ * _.random(-5);
+ * // => an integer between -5 and 0
+ *
* _.random(5, true);
* // => a floating-point number between 0 and 5
*
* _.random(1.2, 5.2);
@@ -14776,8 +14777,12 @@
* "escape" delimiters, and execute JavaScript in "evaluate" delimiters. Data
* properties may be accessed as free variables in the template. If a setting
* object is given, it takes precedence over `_.templateSettings` values.
*
+ * **Security:** `_.template` is insecure and should not be used. It will be
+ * removed in Lodash v5. Avoid untrusted input. See
+ * [threat model](https://github.com/lodash/lodash/blob/main/threat-model.md).
+ *
* **Note:** In the development build `_.template` utilizes
* [sourceURLs](http://www.html5rocks.com/en/tutorials/developertools/sourcemaps/#toc-sourceurl)
* for easier debugging.
*
@@ -14883,14 +14888,20 @@
if (guard && isIterateeCall(string, options, guard)) {
options = undefined;
}
string = toString(string);
- options = assignInWith({}, options, settings, customDefaultsAssignIn);
+ options = assignWith({}, options, settings, customDefaultsAssignIn);
- var imports = assignInWith({}, options.imports, settings.imports, customDefaultsAssignIn),
+ var imports = assignWith({}, options.imports, settings.imports, customDefaultsAssignIn),
importsKeys = keys(imports),
importsValues = baseValues(imports, importsKeys);
+ arrayEach(importsKeys, function(key) {
+ if (reForbiddenIdentifierChars.test(key)) {
+ throw new Error(INVALID_TEMPL_IMPORTS_ERROR_TEXT);
+ }
+ });
+
var isEscaping,
isEvaluating,
index = 0,
interpolate = options.interpolate || reNoMatch,