diff --git a/LICENSE b/LICENSE
index c6f2f6145..77c42f140 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright JS Foundation and other contributors
+Copyright OpenJS Foundation and other contributors
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors
diff --git a/README.md b/README.md
index 49dc80c31..123e41d63 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# lodash-es v4.17.11
+# lodash-es v4.17.12
The [Lodash](https://lodash.com/) library exported as [ES](http://www.ecma-international.org/ecma-262/6.0/) modules.
@@ -7,4 +7,4 @@ Generated using [lodash-cli](https://www.npmjs.com/package/lodash-cli):
$ lodash modularize exports=es -o ./
```
-See the [package source](https://github.com/lodash/lodash/tree/4.17.11-es) for more details.
+See the [package source](https://github.com/lodash/lodash/tree/4.17.12-es) for more details.
diff --git a/_baseClone.js b/_baseClone.js
index ad296197f..04c200a7f 100644
--- a/_baseClone.js
+++ b/_baseClone.js
@@ -140,16 +140,10 @@ function baseClone(value, bitmask, customizer, key, object, stack) {
value.forEach(function(subValue) {
result.add(baseClone(subValue, bitmask, customizer, subValue, value, stack));
});
-
- return result;
- }
-
- if (isMap(value)) {
+ } else if (isMap(value)) {
value.forEach(function(subValue, key) {
result.set(key, baseClone(subValue, bitmask, customizer, key, value, stack));
});
-
- return result;
}
var keysFunc = isFull
diff --git a/_baseMerge.js b/_baseMerge.js
index 151149859..d0051a7f1 100644
--- a/_baseMerge.js
+++ b/_baseMerge.js
@@ -22,8 +22,8 @@ function baseMerge(object, source, srcIndex, customizer, stack) {
return;
}
baseFor(source, function(srcValue, key) {
+ stack || (stack = new Stack);
if (isObject(srcValue)) {
- stack || (stack = new Stack);
baseMergeDeep(object, source, key, srcIndex, baseMerge, customizer, stack);
}
else {
diff --git a/_createRound.js b/_createRound.js
index 8b3edab7b..cc1b261c2 100644
--- a/_createRound.js
+++ b/_createRound.js
@@ -3,7 +3,8 @@ import toNumber from './toNumber.js';
import toString from './toString.js';
/* Built-in method references for those with the same name as other `lodash` methods. */
-var nativeMin = Math.min;
+var nativeIsFinite = root.isFinite,
+ nativeMin = Math.min;
/**
* Creates a function like `_.round`.
@@ -17,7 +18,7 @@ function createRound(methodName) {
return function(number, precision) {
number = toNumber(number);
precision = precision == null ? 0 : nativeMin(toInteger(precision), 292);
- if (precision) {
+ if (precision && nativeIsFinite(number)) {
// Shift with exponential notation to avoid floating-point issues.
// See [MDN](https://mdn.io/round#Examples) for more details.
var pair = (toString(number) + 'e').split('e'),
diff --git a/_safeGet.js b/_safeGet.js
index e08241a72..2e5420ddd 100644
--- a/_safeGet.js
+++ b/_safeGet.js
@@ -1,5 +1,5 @@
/**
- * Gets the value at `key`, unless `key` is "__proto__".
+ * Gets the value at `key`, unless `key` is "__proto__" or "constructor".
*
* @private
* @param {Object} object The object to query.
@@ -7,6 +7,10 @@
* @returns {*} Returns the property value.
*/
function safeGet(object, key) {
+ if (key === 'constructor' && typeof object[key] === 'function') {
+ return;
+ }
+
if (key == '__proto__') {
return;
}
diff --git a/debounce.js b/debounce.js
index c65962a83..b88f6a8fe 100644
--- a/debounce.js
+++ b/debounce.js
@@ -173,6 +173,7 @@ function debounce(func, wait, options) {
}
if (maxing) {
// Handle invocations in a tight loop.
+ clearTimeout(timerId);
timerId = setTimeout(timerExpired, wait);
return invokeFunc(lastCallTime);
}
diff --git a/lodash.default.js b/lodash.default.js
index 388431d09..ba3e91f42 100644
--- a/lodash.default.js
+++ b/lodash.default.js
@@ -2,7 +2,7 @@
* @license
* Lodash (Custom Build)
* Build: `lodash modularize exports="es" -o ./`
- * Copyright JS Foundation and other contributors
+ * Copyright OpenJS Foundation and other contributors
* Released under MIT license
* Based on Underscore.js 1.8.3
* Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
@@ -45,7 +45,7 @@ import toInteger from './toInteger.js';
import lodash from './wrapperLodash.js';
/** Used as the semantic version number. */
-var VERSION = '4.17.11';
+var VERSION = '4.17.12';
/** Used to compose bitmasks for function metadata. */
var WRAP_BIND_KEY_FLAG = 2;
@@ -606,10 +606,11 @@ arrayEach(['pop', 'push', 'shift', 'sort', 'splice', 'unshift'], function(method
baseForOwn(LazyWrapper.prototype, function(func, methodName) {
var lodashFunc = lodash[methodName];
if (lodashFunc) {
- var key = (lodashFunc.name + ''),
- names = realNames[key] || (realNames[key] = []);
-
- names.push({ 'name': methodName, 'func': lodashFunc });
+ var key = lodashFunc.name + '';
+ if (!hasOwnProperty.call(realNames, key)) {
+ realNames[key] = [];
+ }
+ realNames[key].push({ 'name': methodName, 'func': lodashFunc });
}
});
diff --git a/lodash.js b/lodash.js
index 706eb5e98..25b790ec1 100644
--- a/lodash.js
+++ b/lodash.js
@@ -2,7 +2,7 @@
* @license
* Lodash (Custom Build)
* Build: `lodash modularize exports="es" -o ./`
- * Copyright JS Foundation and other contributors
+ * Copyright OpenJS Foundation and other contributors
* Released under MIT license
* Based on Underscore.js 1.8.3
* Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
diff --git a/package.json b/package.json
index 88e93da40..9fff777bc 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "lodash-es",
- "version": "4.17.11",
+ "version": "4.17.12",
"description": "Lodash exported as ES modules.",
"keywords": "es6, modules, stdlib, util",
"homepage": "https://lodash.com/custom-builds",
@@ -11,10 +11,11 @@
"main": "lodash.js",
"module": "lodash.js",
"sideEffects": false,
- "author": "John-David Dalton (http://allyoucanleet.com/)",
+ "author": "John-David Dalton ",
"contributors": [
- "John-David Dalton (http://allyoucanleet.com/)",
- "Mathias Bynens (https://mathiasbynens.be/)"
+ "John-David Dalton ",
+ "Mathias Bynens "
],
+ "type": "module",
"scripts": { "test": "echo \"See https://travis-ci.org/lodash-archive/lodash-cli for testing details.\"" }
}
diff --git a/template.js b/template.js
index 17873472c..aab4a0841 100644
--- a/template.js
+++ b/template.js
@@ -27,6 +27,12 @@ var reNoMatch = /($^)/;
/** Used to match unescaped characters in compiled string literals. */
var reUnescapedString = /['\n\r\u2028\u2029\\]/g;
+/** Used for built-in method references. */
+var objectProto = Object.prototype;
+
+/** Used to check objects for own properties. */
+var hasOwnProperty = objectProto.hasOwnProperty;
+
/**
* Creates a compiled template function that can interpolate data properties
* in "interpolate" delimiters, HTML-escape interpolated data properties in
@@ -162,7 +168,14 @@ function template(string, options, guard) {
, 'g');
// Use a sourceURL for easier debugging.
- var sourceURL = 'sourceURL' in options ? '//# sourceURL=' + options.sourceURL + '\n' : '';
+ // The sourceURL gets injected into the source that's eval-ed, so be careful
+ // with lookup (in case of e.g. prototype pollution), and strip newlines if any.
+ // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
+ var sourceURL = hasOwnProperty.call(options, 'sourceURL')
+ ? ('//# sourceURL=' +
+ (options.sourceURL + '').replace(/[\r\n]/g, ' ') +
+ '\n')
+ : '';
string.replace(reDelimiters, function(match, escapeValue, interpolateValue, esTemplateValue, evaluateValue, offset) {
interpolateValue || (interpolateValue = esTemplateValue);
@@ -193,7 +206,9 @@ function template(string, options, guard) {
// If `variable` is not specified wrap a with-statement around the generated
// code to add the data object to the top of the scope chain.
- var variable = options.variable;
+ // Like with sourceURL, we take care to not check the option's prototype,
+ // as this configuration is a code injection vector.
+ var variable = hasOwnProperty.call(options, 'variable') && options.variable;
if (!variable) {
source = 'with (obj) {\n' + source + '\n}\n';
}