Ant Design (antd) is a popular UI library providing a comprehensive suite of React components, aiming to streamline the development of elegant and responsive user interfaces. Comparing versions 1.5.0 and 1.5.1 reveals a focused, incremental update. The core dependencies driving antd remain consistent, ensuring stability and backwards compatibility for developers already invested in the 1.5.x series.
Both versions share the same fundamental dependencies, from form handling with rc-form and menu navigation with rc-menu to advanced functionalities like date pickers enabled by rc-calendar and data display with rc-table. Key development dependencies like react, react-dom, eslint, babel and webpack are also consistent across these releases.
The most noticeable change between versions 1.5.0 and 1.5.1 lies in the releaseDate, suggesting a focused hotfix or minor enhancement rather than a major feature release. Specifically, version 1.5.1 was released on "2016-06-21", just a few days after version 1.5.0 released on"2016-06-17". For developers, this signifies a safe upgrade path with minimal risk of introducing breaking changes while potentially addressing reported issues or edge cases identified in the 1.5.0 release. This incremental approach allows developers to stay current with the latest improvements and bug fixes without the overhead of extensive testing and refactoring. While the specific nature of the patch isn't detailed in the metadata, the quick succession of the releases hints at a focused effort to refine and stabilize the existing feature set.
All the vulnerabilities related to the version 1.5.1 of the package
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
