Object-path is a lightweight and versatile JavaScript library designed to simplify accessing and manipulating deeply nested properties within objects using a path-like syntax. Versions 0.11.3 and 0.11.4 share a common foundation, both offering developers a convenient way to read and write values within complex JavaScript objects. Both versions boast identical core functionalities, including methods for safely retrieving, setting, and deleting values at specified paths using dot or bracket notation. Developers benefit from the library's ability to handle potentially undefined intermediate properties gracefully, preventing errors and streamlining code.
Comparing versions, the core functionality and developer experience remains consistent. The primary distinction lies in the release date. Version 0.11.4 was released on February 27, 2017, while version 0.11.3 was released earlier, on November 18, 2016. This suggests that version 0.11.4 likely includes bug fixes, performance improvements, or minor refinements not present in the earlier version. Both versions maintain the same dependencies for testing and development, including Chai, Mocha, Istanbul, Coveralls, and benchpress indicating a continued commitment to quality and performance. Object-Path is licensed under the permissive MIT license, and hosted on Github. Ultimately, developers seeking the most up-to-date and potentially more stable version of Object-path should opt for version 0.11.4, assuming no specific compatibility issues.
All the vulnerabilities related to the version 0.11.4 of the package
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
