NodeJS/mixin-deep/1.3.1
Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone. No dependencies.
https://www.npmjs.com/package/mixin-deep
MIT
1 Security Vulnerabilities
Prototype Pollution in mixin-deep
Published date: 2019-08-27T17:42:33Z
CVE: CVE-2019-10746
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10746
- https://github.com/advisories/GHSA-fhjf-83wg-r2j9
- https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/
- https://www.npmjs.com/advisories/1013
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
- https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50
Versions of mixin-deep
prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep
function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
Recommendation
If you are using mixin-deep
2.x, upgrade to version 2.0.1 or later.
If you are using mixin-deep
1.x, upgrade to version 1.3.2 or later.
Affected versions:
["2.0.0", "0.1.0", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.2.0", "1.3.0", "1.3.1"]
Secure versions:
[2.0.1, 1.3.2]
Recommendation:
Update to version 2.0.1.
13 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
2.0.1 | MIT | 2019-06-19 - 17:47 | over 5 years | |
2.0.0 | MIT | 1 | 2018-07-11 - 14:11 | about 6 years |
1.3.2 | MIT | 2019-06-24 - 20:33 | about 5 years | |
1.3.1 | MIT | 1 | 2018-02-07 - 16:28 | over 6 years |
1.3.0 | MIT | 3 | 2017-12-09 - 06:49 | almost 7 years |
1.2.0 | MIT | 3 | 2017-03-02 - 13:40 | over 7 years |
1.1.3 | MIT | 3 | 2015-08-29 - 02:08 | about 9 years |
1.1.2 | MIT | 3 | 2015-08-21 - 06:31 | about 9 years |
1.1.1 | MIT | 3 | 2015-05-28 - 07:48 | over 9 years |
1.1.0 | MIT | 3 | 2015-04-30 - 00:52 | over 9 years |
1.0.1 | MIT | 3 | 2015-02-25 - 11:15 | over 9 years |
1.0.0 | MIT | 3 | 2015-02-25 - 11:12 | over 9 years |
0.1.0 | MIT | 3 | 2014-09-22 - 15:35 | almost 10 years |