Ant Design (antd) is a popular UI library offering a rich set of React components designed to accelerate development and provide a consistent user experience. Comparing versions 1.6.2 and 1.6.3 reveals subtle but potentially important updates for developers. The core dependencies remain largely consistent, indicating a focus on stability and refinement. Both versions rely heavily on the rc-* suite of components, covering everything from forms and menus to tables and calendars, ensuring a modular and well-tested foundation. Developers already familiar with these underlying components will find upgrading straightforward.
The change from 1.6.2 to 1.6.3 is a small incremental update, with no clear changes apparent from the provided data in dependencies and devDependencies. Typically, such minor version bumps involve bug fixes, performance improvements, or small feature enhancements that don't introduce breaking changes. For developers, this suggests a safe and recommended upgrade path. Without specific release notes, it's advisable to consult the official Ant Design changelog for version 1.6.3 to understand the precise modifications. This ensures developers can benefit from any addressed issues or optimizations while maintaining the integrity of their existing codebase. Checking the changelog would highlight any focused areas of improvements to consider, especially when relying on specific components within the Ant Design library.
All the vulnerabilities related to the version 1.6.3 of the package
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
