Mixin-deep is a utility for deeply merging JavaScript objects, similar to merge-deep but performing the merge directly into the target object without creating clones. This behavior can be crucial for performance and memory management, especially when dealing with large or complex data structures. Version 1.3.1, released on February 7, 2018, is a patch update to the previous stable version, 1.3.0, which was released on December 9, 2017.
While the core functionality remains the same, developers should note the potential improvements and bug fixes included in the newer patch release. The dist object in the 1.3.1 metadata reveals fileCount: 4 and unpackedSize: 6982, suggesting that the small changes introduced in this version might impact the overall size on disk. Although specific details about the bug fixes are not provided, patch releases typically address minor issues and improvements, promising a more stable and reliable experience. The package's dependencies, "for-in" and "is-extendable," remain unchanged between the versions, indicating the focus of the update was likely within the core logic of the mixin-deep library.
All the vulnerabilities related to the version 1.3.1 of the package
Prototype Pollution in mixin-deep
Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
If you are using mixin-deep 2.x, upgrade to version 2.0.1 or later.
If you are using mixin-deep 1.x, upgrade to version 1.3.2 or later.
