Mixin-deep is a utility for deeply merging properties of objects into a target object, similar to merge-deep but without cloning. Version 2.0.0 introduces a notable change by removing dependencies, streamlining the package and potentially improving performance. This version boasts a smaller unpacked size of 6849 bytes, a slight decrease from version 1.3.2's 7218 bytes.
The earlier version, 1.3.2, relies on the for-in and is-extendable packages, indicating it handled object iteration and extensibility checks internally. The removal of these dependencies in version 2.0.0 suggests an internal rewrite, perhaps for optimization or to eliminate potential vulnerabilities and reduce the overall dependency footprint. Developers should consider this when upgrading, as the change in internal implementation might have subtle behavioral effects, although the core functionality of deep mixing should remain consistent.
Both versions share the same MIT license and are authored by Jon Schlinkert. Developers gain a simple and efficient way to merge configurations or settings objects, avoiding the overhead of a full clone. The removal of dependencies in version 2.0.0 makes it a potentially more attractive option for projects where minimizing dependencies is crucial, while the older version comes with tested dependencies that can be expected to work as intended. The project is hosted on GitHub, facilitating contributions and issue tracking.
All the vulnerabilities related to the version 2.0.0 of the package
Prototype Pollution in mixin-deep
Versions of mixin-deep prior to 2.0.1 or 1.3.2 are vulnerable to Prototype Pollution. The mixinDeep function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
If you are using mixin-deep 2.x, upgrade to version 2.0.1 or later.
If you are using mixin-deep 1.x, upgrade to version 1.3.2 or later.
