Merge is a lightweight JavaScript library designed for deep merging of multiple JavaScript objects into a single object. Functionally similar to jQuery's extend but with added flexibility, it operates in both Node.js and browser environments. The key function of merge is to consolidate properties from several source objects into a single target object, offering an optional cloning feature to avoid modifying the original source objects.
Between version 1.2.0 and 1.2.1, subtle but important differences exist for developers. Version 1.2.0, released in 2014, identified the author with a name, "yeikos," and a URL, providing a direct link to their website which provides increased transparency about the author of the package. The git repository URL was simply https://github.com/yeikos/js.merge.git. Version 1.2.1, released four years later in 2018, has a more formal repository URL: git+https://github.com/yeikos/js.merge.git. This seemingly minor change could influence how package managers interact with the repository, potentially improving overall reliability. The newer version also includes metadata about the package's distribution, specifying fileCount and unpackedSize, important hints to ensure the package is correctly unpacked. While the core merging functionality remains consistent, developers may appreciate the added transparency and updated metadata in the later version for enhanced dependency management and slightly improved confidence in the integrity of the package distribution. These small updates contribute to easier auditing and can be valuable when assessing the overall quality and maintainability of the dependency.
All the vulnerabilities related to the version 1.2.1 of the package
Prototype Pollution in merge
All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .
