Update lodash-amd to v4.17.21 + edadd45 (#6064)

* Fix prototype pollution in _.set and related functions

Prevents setting dangerous properties (__proto__, constructor, prototype)
that could lead to prototype pollution vulnerabilities.

* Fix command injection vulnerability in _.template

- Add validation for the variable option to prevent injection attacks
- Improve sourceURL whitespace normalization to prevent code injection

* Fix cyclic value comparison in _.isEqual

Properly checks both directions when comparing cyclic values to ensure
correct equality comparisons for circular references.

* Improve _.sortBy and _.orderBy performance and array handling

- Add early return for empty arrays in sorted index operations
- Improve array iteratee handling to support nested property paths
- Add missing keysIn import in baseClone

* Refactor _.trim, _.trimEnd, and _.trimStart implementations

Extract shared trim logic into reusable utilities (_baseTrim, _trimmedEndIndex)
for better code organization and consistency. Update related functions
(toNumber, parseInt) to use new utilities. Improve comment accuracy.

* Add documentation for predicate composition with _.overEvery and _.overSome

Enhance documentation to show how _.matches and _.matchesProperty can be
combined using _.overEvery and _.overSome for more powerful filtering.
Add examples demonstrating shorthand predicate syntax.

* Bump to v4.17.21

* Fix prototype pollution in _.unset and _.omit

Prevent prototype pollution on baseUnset function by:
- Blocking "__proto__" if not an own property
- Blocking "constructor.prototype" chains (except when starting at primitive root)
- Skipping non-string keys

See: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

* Update JSDoc documentation to align with main branch

- Fix sortBy example ages (40 -> 30) for correct sort order demonstration
- Fix _setCacheHas return type (number -> boolean)

README.md

@@ -1,4 +1,4 @@
-# lodash-amd v4.17.15
+# lodash-amd v4.17.21
 
 The [Lodash](https://lodash.com/) library exported as [AMD](https://github.com/amdjs/amdjs-api/wiki/AMD) modules.
 
@@ -27,4 +27,4 @@ require({
 });
 ```
 
-See the [package source](https://github.com/lodash/lodash/tree/4.17.15-amd) for more details.
+See the [package source](https://github.com/lodash/lodash/tree/4.17.21-amd) for more details.

_baseClone.js

@@ -1,4 +1,4 @@
-define(['./_Stack', './_arrayEach', './_assignValue', './_baseAssign', './_baseAssignIn', './_cloneBuffer', './_copyArray', './_copySymbols', './_copySymbolsIn', './_getAllKeys', './_getAllKeysIn', './_getTag', './_initCloneArray', './_initCloneByTag', './_initCloneObject', './isArray', './isBuffer', './isMap', './isObject', './isSet', './keys'], function(Stack, arrayEach, assignValue, baseAssign, baseAssignIn, cloneBuffer, copyArray, copySymbols, copySymbolsIn, getAllKeys, getAllKeysIn, getTag, initCloneArray, initCloneByTag, initCloneObject, isArray, isBuffer, isMap, isObject, isSet, keys) {
+define(['./_Stack', './_arrayEach', './_assignValue', './_baseAssign', './_baseAssignIn', './_cloneBuffer', './_copyArray', './_copySymbols', './_copySymbolsIn', './_getAllKeys', './_getAllKeysIn', './_getTag', './_initCloneArray', './_initCloneByTag', './_initCloneObject', './isArray', './isBuffer', './isMap', './isObject', './isSet', './keys', './keysIn'], function(Stack, arrayEach, assignValue, baseAssign, baseAssignIn, cloneBuffer, copyArray, copySymbols, copySymbolsIn, getAllKeys, getAllKeysIn, getTag, initCloneArray, initCloneByTag, initCloneObject, isArray, isBuffer, isMap, isObject, isSet, keys, keysIn) {
 
   /** Used as a safe reference for `undefined` in pre-ES5 environments. */
   var undefined;

_baseOrderBy.js

@@ -1,4 +1,4 @@
-define(['./_arrayMap', './_baseIteratee', './_baseMap', './_baseSortBy', './_baseUnary', './_compareMultiple', './identity'], function(arrayMap, baseIteratee, baseMap, baseSortBy, baseUnary, compareMultiple, identity) {
+define(['./_arrayMap', './_baseGet', './_baseIteratee', './_baseMap', './_baseSortBy', './_baseUnary', './_compareMultiple', './identity', './isArray'], function(arrayMap, baseGet, baseIteratee, baseMap, baseSortBy, baseUnary, compareMultiple, identity, isArray) {
 
   /**
    * The base implementation of `_.orderBy` without param guards.
@@ -10,8 +10,21 @@ define(['./_arrayMap', './_baseIteratee', './_baseMap', './_baseSortBy', './_bas
    * @returns {Array} Returns the new sorted array.
    */
   function baseOrderBy(collection, iteratees, orders) {
+    if (iteratees.length) {
+      iteratees = arrayMap(iteratees, function(iteratee) {
+        if (isArray(iteratee)) {
+          return function(value) {
+            return baseGet(value, iteratee.length === 1 ? iteratee[0] : iteratee);
+          }
+        }
+        return iteratee;
+      });
+    } else {
+      iteratees = [identity];
+    }
+
     var index = -1;
-    iteratees = arrayMap(iteratees.length ? iteratees : [identity], baseUnary(baseIteratee));
+    iteratees = arrayMap(iteratees, baseUnary(baseIteratee));
 
     var result = baseMap(collection, function(value, key, collection) {
       var criteria = arrayMap(iteratees, function(iteratee) {

_baseSet.js

@@ -28,6 +28,10 @@ define(['./_assignValue', './_castPath', './_isIndex', './isObject', './_toKey']
       var key = toKey(path[index]),
           newValue = value;
 
+      if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+        return object;
+      }
+
       if (index != lastIndex) {
         var objValue = nested[key];
         newValue = customizer ? customizer(objValue, key, nested) : undefined;

_baseSortedIndexBy.js

@@ -25,11 +25,14 @@ define(['./isSymbol'], function(isSymbol) {
    *  into `array`.
    */
   function baseSortedIndexBy(array, value, iteratee, retHighest) {
-    value = iteratee(value);
-
     var low = 0,
-        high = array == null ? 0 : array.length,
-        valIsNaN = value !== value,
+        high = array == null ? 0 : array.length;
+    if (high === 0) {
+      return 0;
+    }
+
+    value = iteratee(value);
+    var valIsNaN = value !== value,
         valIsNull = value === null,
         valIsSymbol = isSymbol(value),
         valIsUndefined = value === undefined;

_baseTrim.js

@@ -0,0 +1,20 @@
+define(['./_trimmedEndIndex'], function(trimmedEndIndex) {
+
+  /** Used to match leading whitespace. */
+  var reTrimStart = /^\s+/;
+
+  /**
+   * The base implementation of `_.trim`.
+   *
+   * @private
+   * @param {string} string The string to trim.
+   * @returns {string} Returns the trimmed string.
+   */
+  function baseTrim(string) {
+    return string
+      ? string.slice(0, trimmedEndIndex(string) + 1).replace(reTrimStart, '')
+      : string;
+  }
+
+  return baseTrim;
+});

_baseUnset.js

@@ -1,5 +1,11 @@
 define(['./_castPath', './last', './_parent', './_toKey'], function(castPath, last, parent, toKey) {
 
+  /** Used for built-in method references. */
+  var objectProto = Object.prototype;
+
+  /** Used to check objects for own properties. */
+  var hasOwnProperty = objectProto.hasOwnProperty;
+
   /**
    * The base implementation of `_.unset`.
    *
@@ -10,8 +16,47 @@ define(['./_castPath', './last', './_parent', './_toKey'], function(castPath, la
    */
   function baseUnset(object, path) {
     path = castPath(path, object);
-    object = parent(object, path);
-    return object == null || delete object[toKey(last(path))];
+
+    // Prevent prototype pollution, see: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+    var index = -1,
+        length = path.length;
+
+    if (!length) {
+      return true;
+    }
+
+    var isRootPrimitive = object == null || (typeof object !== 'object' && typeof object !== 'function');
+
+    while (++index < length) {
+      var key = path[index];
+
+      // skip non-string keys (e.g., Symbols, numbers)
+      if (typeof key !== 'string') {
+        continue;
+      }
+
+      // Always block "__proto__" anywhere in the path if it's not expected
+      if (key === '__proto__' && !hasOwnProperty.call(object, '__proto__')) {
+        return false;
+      }
+
+      // Block "constructor.prototype" chains
+      if (key === 'constructor' &&
+          (index + 1) < length &&
+          typeof path[index + 1] === 'string' &&
+          path[index + 1] === 'prototype') {
+
+        // Allow ONLY when the path starts at a primitive root, e.g., _.unset(0, 'constructor.prototype.a')
+        if (isRootPrimitive && index === 0) {
+          continue;
+        }
+
+        return false;
+      }
+    }
+
+    var obj = parent(object, path);
+    return obj == null || delete obj[toKey(last(path))];
   }
 
   return baseUnset;

_equalArrays.js

@@ -28,10 +28,11 @@ define(['./_SetCache', './_arraySome', './_cacheHas'], function(SetCache, arrayS
     if (arrLength != othLength && !(isPartial && othLength > arrLength)) {
       return false;
     }
-    // Assume cyclic values are equal.
-    var stacked = stack.get(array);
-    if (stacked && stack.get(other)) {
-      return stacked == other;
+    // Check that cyclic values are equal.
+    var arrStacked = stack.get(array);
+    var othStacked = stack.get(other);
+    if (arrStacked && othStacked) {
+      return arrStacked == other && othStacked == array;
     }
     var index = -1,
         result = true,

_equalObjects.js

@@ -42,10 +42,11 @@ define(['./_getAllKeys'], function(getAllKeys) {
         return false;
       }
     }
-    // Assume cyclic values are equal.
-    var stacked = stack.get(object);
-    if (stacked && stack.get(other)) {
-      return stacked == other;
+    // Check that cyclic values are equal.
+    var objStacked = stack.get(object);
+    var othStacked = stack.get(other);
+    if (objStacked && othStacked) {
+      return objStacked == other && othStacked == object;
     }
     var result = true;
     stack.set(object, other);

_setCacheHas.js

@@ -7,7 +7,7 @@ define([], function() {
    * @name has
    * @memberOf SetCache
    * @param {*} value The value to search for.
-   * @returns {number} Returns `true` if `value` is found, else `false`.
+   * @returns {boolean} Returns `true` if `value` is found, else `false`.
    */
   function setCacheHas(value) {
     return this.__data__.has(value);

_trimmedEndIndex.js

@@ -0,0 +1,22 @@
+define([], function() {
+
+  /** Used to match a single whitespace character. */
+  var reWhitespace = /\s/;
+
+  /**
+   * Used by `_.trim` and `_.trimEnd` to get the index of the last non-whitespace
+   * character of `string`.
+   *
+   * @private
+   * @param {string} string The string to inspect.
+   * @returns {number} Returns the index of the last non-whitespace character.
+   */
+  function trimmedEndIndex(string) {
+    var index = string.length;
+
+    while (index-- && reWhitespace.test(string.charAt(index))) {}
+    return index;
+  }
+
+  return trimmedEndIndex;
+});

filter.js

@@ -36,6 +36,10 @@ define(['./_arrayFilter', './_baseFilter', './_baseIteratee', './isArray'], func
    * // The `_.property` iteratee shorthand.
    * _.filter(users, 'active');
    * // => objects for ['barney']
+   *
+   * // Combining several predicates using `_.overEvery` or `_.overSome`.
+   * _.filter(users, _.overSome([{ 'age': 36 }, ['age', 40]]));
+   * // => objects for ['fred', 'barney']
    */
   function filter(collection, predicate) {
     var func = isArray(collection) ? arrayFilter : baseFilter;

main.js

@@ -13,7 +13,7 @@
   var undefined;
 
   /** Used as the semantic version number. */
-  var VERSION = '4.17.15';
+  var VERSION = '4.17.21';
 
   /** Used as the size to enable large array optimizations. */
   var LARGE_ARRAY_SIZE = 200;

matches.js

@@ -15,6 +15,9 @@ define(['./_baseClone', './_baseMatches'], function(baseClone, baseMatches) {
    * values against any array or object value, respectively. See `_.isEqual`
    * for a list of supported value comparisons.
    *
+   * **Note:** Multiple values can be checked by combining several matchers
+   * using `_.overSome`
+   *
    * @static
    * @memberOf _
    * @since 3.0.0
@@ -30,6 +33,10 @@ define(['./_baseClone', './_baseMatches'], function(baseClone, baseMatches) {
    *
    * _.filter(objects, _.matches({ 'a': 4, 'c': 6 }));
    * // => [{ 'a': 4, 'b': 5, 'c': 6 }]
+   *
+   * // Checking for several possible values
+   * _.filter(objects, _.overSome([_.matches({ 'a': 1 }), _.matches({ 'a': 4 })]));
+   * // => [{ 'a': 1, 'b': 2, 'c': 3 }, { 'a': 4, 'b': 5, 'c': 6 }]
    */
   function matches(source) {
     return baseMatches(baseClone(source, CLONE_DEEP_FLAG));

matchesProperty.js

@@ -12,6 +12,9 @@ define(['./_baseClone', './_baseMatchesProperty'], function(baseClone, baseMatch
    * `srcValue` values against any array or object value, respectively. See
    * `_.isEqual` for a list of supported value comparisons.
    *
+   * **Note:** Multiple values can be checked by combining several matchers
+   * using `_.overSome`
+   *
    * @static
    * @memberOf _
    * @since 3.2.0
@@ -28,6 +31,10 @@ define(['./_baseClone', './_baseMatchesProperty'], function(baseClone, baseMatch
    *
    * _.find(objects, _.matchesProperty('a', 4));
    * // => { 'a': 4, 'b': 5, 'c': 6 }
+   *
+   * // Checking for several possible values
+   * _.filter(objects, _.overSome([_.matchesProperty('a', 1), _.matchesProperty('a', 4)]));
+   * // => [{ 'a': 1, 'b': 2, 'c': 3 }, { 'a': 4, 'b': 5, 'c': 6 }]
    */
   function matchesProperty(path, srcValue) {
     return baseMatchesProperty(path, baseClone(srcValue, CLONE_DEEP_FLAG));

overEvery.js

@@ -4,6 +4,10 @@ define(['./_arrayEvery', './_createOver'], function(arrayEvery, createOver) {
    * Creates a function that checks if **all** of the `predicates` return
    * truthy when invoked with the arguments it receives.
    *
+   * Following shorthands are possible for providing predicates.
+   * Pass an `Object` and it will be used as an parameter for `_.matches` to create the predicate.
+   * Pass an `Array` of parameters for `_.matchesProperty` and the predicate will be created using them.
+   *
    * @static
    * @memberOf _
    * @since 4.0.0

overSome.js

@@ -4,6 +4,10 @@ define(['./_arraySome', './_createOver'], function(arraySome, createOver) {
    * Creates a function that checks if **any** of the `predicates` return
    * truthy when invoked with the arguments it receives.
    *
+   * Following shorthands are possible for providing predicates.
+   * Pass an `Object` and it will be used as an parameter for `_.matches` to create the predicate.
+   * Pass an `Array` of parameters for `_.matchesProperty` and the predicate will be created using them.
+   *
    * @static
    * @memberOf _
    * @since 4.0.0
@@ -23,6 +27,9 @@ define(['./_arraySome', './_createOver'], function(arraySome, createOver) {
    *
    * func(NaN);
    * // => false
+   *
+   * var matchesFunc = _.overSome([{ 'a': 1 }, { 'a': 2 }])
+   * var matchesPropertyFunc = _.overSome([['a', 1], ['a', 2]])
    */
   var overSome = createOver(arraySome);
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "lodash-amd",
-  "version": "4.17.15",
+  "version": "4.17.21",
   "description": "Lodash exported as AMD modules.",
   "keywords": "amd, modules, stdlib, util",
   "homepage": "https://lodash.com/custom-builds",

parseInt.js

@@ -1,6 +1,6 @@
 define(['./_root', './toString'], function(root, toString) {
 
-  /** Used to match leading and trailing whitespace. */
+  /** Used to match leading whitespace. */
   var reTrimStart = /^\s+/;
 
   /* Built-in method references for those with the same name as other `lodash` methods. */

sortBy.js

@@ -19,15 +19,15 @@ define(['./_baseFlatten', './_baseOrderBy', './_baseRest', './_isIterateeCall'],
    * var users = [
    *   { 'user': 'fred',   'age': 48 },
    *   { 'user': 'barney', 'age': 36 },
-   *   { 'user': 'fred',   'age': 40 },
+   *   { 'user': 'fred',   'age': 30 },
    *   { 'user': 'barney', 'age': 34 }
    * ];
    *
    * _.sortBy(users, [function(o) { return o.user; }]);
-   * // => objects for [['barney', 36], ['barney', 34], ['fred', 48], ['fred', 40]]
+   * // => objects for [['barney', 36], ['barney', 34], ['fred', 48], ['fred', 30]]
    *
    * _.sortBy(users, ['user', 'age']);
-   * // => objects for [['barney', 34], ['barney', 36], ['fred', 40], ['fred', 48]]
+   * // => objects for [['barney', 34], ['barney', 36], ['fred', 30], ['fred', 48]]
    */
   var sortBy = baseRest(function(collection, iteratees) {
     if (collection == null) {

template.js

@@ -3,11 +3,26 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
   /** Used as a safe reference for `undefined` in pre-ES5 environments. */
   var undefined;
 
+  /** Error message constants. */
+  var INVALID_TEMPL_VAR_ERROR_TEXT = 'Invalid `variable` option passed into `_.template`';
+
   /** Used to match empty string literals in compiled template source. */
   var reEmptyStringLeading = /\b__p \+= '';/g,
       reEmptyStringMiddle = /\b(__p \+=) '' \+/g,
       reEmptyStringTrailing = /(__e\(.*?\)|\b__t\)) \+\n'';/g;
 
+  /**
+   * Used to validate the `validate` option in `_.template` variable.
+   *
+   * Forbids characters which could potentially change the meaning of the function argument definition:
+   * - "()," (modification of function parameters)
+   * - "=" (default value)
+   * - "[]{}" (destructuring of function parameters)
+   * - "/" (beginning of a comment)
+   * - whitespace
+   */
+  var reForbiddenIdentifierChars = /[()=,{}\[\]\/\s]/;
+
   /**
    * Used to match
    * [ES template delimiters](http://ecma-international.org/ecma-262/7.0/#sec-template-literal-lexical-components).
@@ -162,11 +177,11 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
 
     // Use a sourceURL for easier debugging.
     // The sourceURL gets injected into the source that's eval-ed, so be careful
-    // with lookup (in case of e.g. prototype pollution), and strip newlines if any.
-    // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
+    // to normalize all kinds of whitespace, so e.g. newlines (and unicode versions of it) can't sneak in
+    // and escape the comment, thus injecting code that gets evaled.
     var sourceURL = hasOwnProperty.call(options, 'sourceURL')
       ? ('//# sourceURL=' +
-         (options.sourceURL + '').replace(/[\r\n]/g, ' ') +
+         (options.sourceURL + '').replace(/\s/g, ' ') +
          '\n')
       : '';
 
@@ -199,12 +214,16 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
 
     // If `variable` is not specified wrap a with-statement around the generated
     // code to add the data object to the top of the scope chain.
-    // Like with sourceURL, we take care to not check the option's prototype,
-    // as this configuration is a code injection vector.
     var variable = hasOwnProperty.call(options, 'variable') && options.variable;
     if (!variable) {
       source = 'with (obj) {\n' + source + '\n}\n';
     }
+    // Throw an error if a forbidden character was found in `variable`, to prevent
+    // potential command injection attacks.
+    else if (reForbiddenIdentifierChars.test(variable)) {
+      throw new Error(INVALID_TEMPL_VAR_ERROR_TEXT);
+    }
+
     // Cleanup code by stripping empty strings.
     source = (isEvaluating ? source.replace(reEmptyStringLeading, '') : source)
       .replace(reEmptyStringMiddle, '$1')

toNumber.js

@@ -1,11 +1,8 @@
-define(['./isObject', './isSymbol'], function(isObject, isSymbol) {
+define(['./_baseTrim', './isObject', './isSymbol'], function(baseTrim, isObject, isSymbol) {
 
   /** Used as references for various `Number` constants. */
   var NAN = 0 / 0;
 
-  /** Used to match leading and trailing whitespace. */
-  var reTrim = /^\s+|\s+$/g;
-
   /** Used to detect bad signed hexadecimal string values. */
   var reIsBadHex = /^[-+]0x[0-9a-f]+$/i;
 
@@ -55,7 +52,7 @@ define(['./isObject', './isSymbol'], function(isObject, isSymbol) {
     if (typeof value != 'string') {
       return value === 0 ? value : +value;
     }
-    value = value.replace(reTrim, '');
+    value = baseTrim(value);
     var isBinary = reIsBinary.test(value);
     return (isBinary || reIsOctal.test(value))
       ? freeParseInt(value.slice(2), isBinary ? 2 : 8)

trim.js

@@ -1,11 +1,8 @@
-define(['./_baseToString', './_castSlice', './_charsEndIndex', './_charsStartIndex', './_stringToArray', './toString'], function(baseToString, castSlice, charsEndIndex, charsStartIndex, stringToArray, toString) {
+define(['./_baseTrim', './_baseToString', './_castSlice', './_charsEndIndex', './_charsStartIndex', './_stringToArray', './toString'], function(baseTrim, baseToString, castSlice, charsEndIndex, charsStartIndex, stringToArray, toString) {
 
   /** Used as a safe reference for `undefined` in pre-ES5 environments. */
   var undefined;
 
-  /** Used to match leading and trailing whitespace. */
-  var reTrim = /^\s+|\s+$/g;
-
   /**
    * Removes leading and trailing whitespace or specified characters from `string`.
    *
@@ -31,7 +28,7 @@ define(['./_baseToString', './_castSlice', './_charsEndIndex', './_charsStartInd
   function trim(string, chars, guard) {
     string = toString(string);
     if (string && (guard || chars === undefined)) {
-      return string.replace(reTrim, '');
+      return baseTrim(string);
     }
     if (!string || !(chars = baseToString(chars))) {
       return string;

trimEnd.js

@@ -1,11 +1,8 @@
-define(['./_baseToString', './_castSlice', './_charsEndIndex', './_stringToArray', './toString'], function(baseToString, castSlice, charsEndIndex, stringToArray, toString) {
+define(['./_baseToString', './_castSlice', './_charsEndIndex', './_stringToArray', './_trimmedEndIndex', './toString'], function(baseToString, castSlice, charsEndIndex, stringToArray, trimmedEndIndex, toString) {
 
   /** Used as a safe reference for `undefined` in pre-ES5 environments. */
   var undefined;
 
-  /** Used to match leading and trailing whitespace. */
-  var reTrimEnd = /\s+$/;
-
   /**
    * Removes trailing whitespace or specified characters from `string`.
    *
@@ -28,7 +25,7 @@ define(['./_baseToString', './_castSlice', './_charsEndIndex', './_stringToArray
   function trimEnd(string, chars, guard) {
     string = toString(string);
     if (string && (guard || chars === undefined)) {
-      return string.replace(reTrimEnd, '');
+      return string.slice(0, trimmedEndIndex(string) + 1);
     }
     if (!string || !(chars = baseToString(chars))) {
       return string;

trimStart.js

@@ -3,7 +3,7 @@ define(['./_baseToString', './_castSlice', './_charsStartIndex', './_stringToArr
   /** Used as a safe reference for `undefined` in pre-ES5 environments. */
   var undefined;
 
-  /** Used to match leading and trailing whitespace. */
+  /** Used to match leading whitespace. */
   var reTrimStart = /^\s+/;
 
   /**