Ant Design (antd) has released version 1.5.0, building upon the solid foundation of its previous stable release, 1.4.1. Both versions cater to developers seeking a robust UI design language and incorporate a suite of React-based components. A notable difference lies in the updated dependencies, specifically rc-form which moves from ~0.16.0 to ~0.17.1. The rc-table dependency has also been updated from ~4.1.4 to ~4.2.0. rc-dialog sees a similar change moving from ~6.0.6 to ~6.1.0, indicating refinements and potential new features within these core components.
The development dependencies also show some subtle but important shifts. The primary benefit for developers, in relation to these updates, comes from improvements and bug fixes within these core building blocks, potentially leading to enhanced form handling, table rendering, and dialog management.
Version 1.5.0 ships approximately four days after version 1.4.1, suggesting it incorporates recent fixes and improvements identified shortly after the previous release. Developers upgrading from 1.4.1 should carefully review the changelogs for rc-form, rc-table and rc-dialog to understand the specific changes and ensure smooth integration within their applications. Both versions share a common set of essential dependencies, ensuring a consistent development experience for most components.
All the vulnerabilities related to the version 1.5.0 of the package
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
