Object-path is a lightweight JavaScript library designed to simplify accessing and manipulating deeply nested properties within JavaScript objects using a path-like string. Versions 0.9.1 and 0.9.2 share the same core functionality, providing developers with a clean and efficient syntax for interacting with complex data structures. Both versions boast essential development dependencies like Chai for assertions, Mocha for testing, Istanbul for code coverage analysis, Coveralls for displaying coverage reports, and mocha-lcov-reporter for generating LCOV coverage reports. The library is licensed under the permissive MIT license, encouraging its use in various projects.
The primary difference lies in the release dates. Version 0.9.2 was released on April 16, 2015, following version 0.9.1, which was released on March 19, 2015. While the changelog between these specific versions isn't directly included in the provided data, the presence of a newer version suggests bug fixes, performance improvements, or minor feature enhancements that refine the overall stability and usability of the library. Developers using object-path benefit from its concise syntax, avoiding verbose and error-prone nested property checks. The "object-path" library helps to simplify common tasks like safely retrieving values ("get"), setting new values ("set"), checking the existence of values ("has"), deleting values ("delete"), and pushing values to arrays that are nested inside the object. Whether you are working with configuration data, API responses, or any nested JavaScript object, object-path provides a convenient and reliable solution.
All the vulnerabilities related to the version 0.9.2 of the package
Prototype pollution in object-path
A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.
Upgrade to version >= 0.11.5
Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.
Read more about the prototype pollution vulnerability
If you have any questions or comments about this advisory:
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Prototype Pollution in object-path
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.
