Lodash.merge versions 4.6.1 and 4.6.0 offer developers a modularized way to utilize the _.merge functionality from the popular Lodash library. This allows for targeted inclusion of only the merge function, reducing overall project size compared to importing the entire Lodash library. Both versions, licensed under the MIT license, provide a deep merge capability, combining properties of source objects into a destination object. This is especially useful for configuration management, data processing, and object manipulation in JavaScript applications.
The key difference lies in their release dates: version 4.6.1 was published on February 4, 2018, while version 4.6.0 was released much earlier, on August 13, 2016. This suggests that version 4.6.1 likely includes bug fixes, performance improvements, or minor refinements over its predecessor. While the core functionality remains consistent, developers should favor version 4.6.1 to leverage the latest enhancements and stability improvements. Both versions are readily available through npm and can be easily integrated into projects using standard package management practices. The package's repository resides on GitHub, enabling developers to explore the source code, contribute to the project, and report any issues they encounter. This direct access fosters transparency and community involvement, ensuring the library's ongoing development and maintenance.
All the vulnerabilities related to the version 4.6.1 of the package
Prototype Pollution in lodash.merge
Versions of lodash.merge before 4.6.2 are vulnerable to prototype pollution. The function merge may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.6.2 or later.
