Ant Design (antd) has released a new version, 2.10.2, building upon the previous stable release, 2.10.1. Both versions are described as enterprise-class UI design languages and React-based implementations, offering a comprehensive suite of components for building rich user interfaces.
Examining the dependency changes, version 2.10.2 updates rc-table from version ~5.2.13 to ~5.3.3, rc-calendar from version ~8.1.0 to ~8.3.0, and introduces create-react-class at version ^15.5.3. The removal of rc-radio":"~2.0.0" from version 2.10.1 and the addition of react-color":"^2.11.7" shows that some components have been refactored and some functionality like in build color pickers was added.
In the devDependencies, antd 2.10.2 includes the react-color at version ^2.11.7 and removes dependencies like react-color-standalone, and react-stateless-wrapper, indicating optimization and potentially the streamlining of internal testing or development processes.
Developers upgrading to 2.10.2 should pay particular attention to the rc-table and rc-calendar components to ensure compatibility with their existing code, as minor version bumps can sometimes introduce API changes or behavioral modifications. The React community may also want to be aware of the removal and the addition of the create-react-class dependency and the other one. Overall, the update appears to focus on component enhancements and internal improvements rather than major feature additions.
All the vulnerabilities related to the version 2.10.2 of the package
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
