Lodash.merge is a utility library offering the _.merge method as a standalone module, ideal for selectively including only the merging functionality of the broader Lodash library in your JavaScript projects. Version 4.5.1 follows closely on the heels of version 4.5.0, with both versions sharing identical descriptions, licensing under MIT, and authorship attributed to John-David Dalton. Both versions provide the same core functionality: a robust and versatile method for deeply merging JavaScript objects and arrays.
The key differentiator between the two versions is their release date. Version 4.5.0 was published on July 25, 2016, while version 4.5.1 followed shortly after on July 31, 2016. This proximity suggests that version 4.5.1 likely incorporates minor bug fixes, performance improvements, or dependency updates that were deemed necessary shortly after the release of 4.5.0.
For developers, upgrading from 4.5.0 to 4.5.1 is generally recommended, as it typically resolves any immediately identified issues and provides a more polished experience. While the core merging behavior remains the same, choosing the latest patch version ensures you're working with the most stable and up-to-date iteration of the lodash.merge module. Always check the Lodash changelog or release notes for a detailed list of changes if you want to know exactly what was modified.
All the vulnerabilities related to the version 4.5.1 of the package
Prototype Pollution in lodash.merge
Versions of lodash.merge before 4.6.1 are vulnerable to Prototype Pollution. The function 'merge' may allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.6.1 or later.
Prototype Pollution in lodash.merge
Versions of lodash.merge before 4.6.2 are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.6.2 or later.
