Lodash.mergewith is a valuable npm package that provides the _.mergeWith method, directly exported for modular use. This function, part of the popular Lodash library, allows developers to deeply merge objects, offering more control than a standard merge by using a customizer function that dictates how values are combined. This fine-grained control is valuable when dealing with complex data structures or scenarios where simple overwriting isn't sufficient.
Examining versions 4.6.0 and 4.6.1 reveals a subtle but potentially important update. While both versions share the same core functionality, description, license (MIT), repository details, and author information — pinpointing John-David Dalton, the primary difference lies in their release dates. Version 4.6.0 was released in August 2016, whereas version 4.6.1 came out significantly later, in February 2018. The update from 4.6.0 to 4.6.1, despite being a minor version bump, signals that bug fixes and performance improvements may have been implemented. When integrating this package, the newer 4.6.1 version is often the better choice due to its potential enhancements and stability refinements accumulated over the time of the bugfixes and general improvements to the package. It's recommended to always opt for the latest stable version to leverage these benefits, ensuring a more robust and reliable application.
All the vulnerabilities related to the version 4.6.1 of the package
Prototype Pollution in lodash.mergewith
Versions of lodash.mergewith before 4.6.2 are vulnerable to prototype pollution. The function mergeWith may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.6.2 or later.
