putil-merge@1.0.0 vulnerabilities

Lightweight solution for merging multiple objects into one. Also it supports deep merge and deep clone

Direct Vulnerabilities

Known vulnerabilities in the putil-merge package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Prototype Pollution

putil-merge is a Lightweight solution for merging multiple objects into one. Also it supports deep merge.

Affected versions of this package are vulnerable to Prototype Pollution. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the constructor property.

Note: This vulnerability derives from an incomplete fix in https://security.snyk.io/vuln/SNYK-JS-PUTILMERGE-1317077

How to fix Prototype Pollution?

Upgrade putil-merge to version 3.8.0 or higher.

<3.8.0
  • H
Prototype Pollution

putil-merge is a Lightweight solution for merging multiple objects into one. Also it supports deep merge.

Affected versions of this package are vulnerable to Prototype Pollution. The merge() function does not check the values passed into the argument. An attacker can supply a malicious value by adjusting the value to include the __proto__ property.

How to fix Prototype Pollution?

Upgrade putil-merge to version 3.7.0 or higher.

<3.7.0