Ant Design (antd) has released version 1.6.0, building upon the foundation of the preceding 1.5.1 release. Both versions serve as a UI design language, equipped with a comprehensive set of React components to streamline web application development.
A key difference lies in the updated dependencies. Notably, rc-table sees an upgrade from version ~4.2.0 to ~4.3.2. rc-calendar also experiences an update from version ~5.5.4 to ~5.6.2. While seemingly minor, these dependency updates often incorporate bug fixes, performance improvements, and new features within those individual components. Developers should review the changelogs of these respective rc-* packages to understand the specific implications of these version bumps.
Both versions share a broad set of development dependencies aimed at facilitating a robust development workflow. These commonalities include tools for linting (ESLint), testing (Jest), documentation generation (Bisheng), and animation (rc-tween-one, rc-scroll-anim). The consistent usage of React (^15.0.0) and associated utilities like react-dom and react-addons-test-utils ensures compatibility across the versions, minimizing potential migration issues. Leveraging these tools enhances code quality, maintainability, and overall developer experience when working with Ant Design. Developers aiming to stay current with best practices in front-end development will find the package's tooling choices aligned with modern standards.
All the vulnerabilities related to the version 1.6.0 of the package
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
