diff --git a/LICENSE b/LICENSE
index c6f2f6145..77c42f140 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright JS Foundation and other contributors <https://js.foundation/>
+Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
 
 Based on Underscore.js, copyright Jeremy Ashkenas,
 DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
diff --git a/README.md b/README.md
index 289e4b420..6f7d436de 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# lodash-amd v4.17.11
+# lodash-amd v4.17.12
 
 The [Lodash](https://lodash.com/) library exported as [AMD](https://github.com/amdjs/amdjs-api/wiki/AMD) modules.
 
@@ -27,4 +27,4 @@ require({
 });
 ```
 
-See the [package source](https://github.com/lodash/lodash/tree/4.17.11-amd) for more details.
+See the [package source](https://github.com/lodash/lodash/tree/4.17.12-amd) for more details.
diff --git a/_baseClone.js b/_baseClone.js
index 630be66e2..3dbfa1ee3 100644
--- a/_baseClone.js
+++ b/_baseClone.js
@@ -123,16 +123,10 @@ define(['./_Stack', './_arrayEach', './_assignValue', './_baseAssign', './_baseA
       value.forEach(function(subValue) {
         result.add(baseClone(subValue, bitmask, customizer, subValue, value, stack));
       });
-
-      return result;
-    }
-
-    if (isMap(value)) {
+    } else if (isMap(value)) {
       value.forEach(function(subValue, key) {
         result.set(key, baseClone(subValue, bitmask, customizer, key, value, stack));
       });
-
-      return result;
     }
 
     var keysFunc = isFull
diff --git a/_baseMerge.js b/_baseMerge.js
index 7f082a1cf..85850e6ba 100644
--- a/_baseMerge.js
+++ b/_baseMerge.js
@@ -19,8 +19,8 @@ define(['./_Stack', './_assignMergeValue', './_baseFor', './_baseMergeDeep', './
       return;
     }
     baseFor(source, function(srcValue, key) {
+      stack || (stack = new Stack);
       if (isObject(srcValue)) {
-        stack || (stack = new Stack);
         baseMergeDeep(object, source, key, srcIndex, baseMerge, customizer, stack);
       }
       else {
diff --git a/_createRound.js b/_createRound.js
index b4ec0b086..dfbde265b 100644
--- a/_createRound.js
+++ b/_createRound.js
@@ -1,7 +1,8 @@
 define(['./toInteger', './toNumber', './toString'], function(toInteger, toNumber, toString) {
 
   /* Built-in method references for those with the same name as other `lodash` methods. */
-  var nativeMin = Math.min;
+  var nativeIsFinite = root.isFinite,
+      nativeMin = Math.min;
 
   /**
    * Creates a function like `_.round`.
@@ -15,7 +16,7 @@ define(['./toInteger', './toNumber', './toString'], function(toInteger, toNumber
     return function(number, precision) {
       number = toNumber(number);
       precision = precision == null ? 0 : nativeMin(toInteger(precision), 292);
-      if (precision) {
+      if (precision && nativeIsFinite(number)) {
         // Shift with exponential notation to avoid floating-point issues.
         // See [MDN](https://mdn.io/round#Examples) for more details.
         var pair = (toString(number) + 'e').split('e'),
diff --git a/_safeGet.js b/_safeGet.js
index 79888d729..70dc7457a 100644
--- a/_safeGet.js
+++ b/_safeGet.js
@@ -1,7 +1,7 @@
 define([], function() {
 
   /**
-   * Gets the value at `key`, unless `key` is "__proto__".
+   * Gets the value at `key`, unless `key` is "__proto__" or "constructor".
    *
    * @private
    * @param {Object} object The object to query.
@@ -9,6 +9,10 @@ define([], function() {
    * @returns {*} Returns the property value.
    */
   function safeGet(object, key) {
+    if (key === 'constructor' && typeof object[key] === 'function') {
+      return;
+    }
+
     if (key == '__proto__') {
       return;
     }
diff --git a/debounce.js b/debounce.js
index 49e9aa07d..3d0dd3798 100644
--- a/debounce.js
+++ b/debounce.js
@@ -174,6 +174,7 @@ define(['./isObject', './now', './toNumber'], function(isObject, now, toNumber)
         }
         if (maxing) {
           // Handle invocations in a tight loop.
+          clearTimeout(timerId);
           timerId = setTimeout(timerExpired, wait);
           return invokeFunc(lastCallTime);
         }
diff --git a/main.js b/main.js
index 0f99b4fd2..962b77ca9 100644
--- a/main.js
+++ b/main.js
@@ -2,7 +2,7 @@
  * @license
  * Lodash (Custom Build) <https://lodash.com/>
  * Build: `lodash exports="amd" -d -o ./main.js`
- * Copyright JS Foundation and other contributors <https://js.foundation/>
+ * Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
  * Released under MIT license <https://lodash.com/license>
  * Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>
  * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
@@ -13,7 +13,7 @@
   var undefined;
 
   /** Used as the semantic version number. */
-  var VERSION = '4.17.11';
+  var VERSION = '4.17.12';
 
   /** Used as the size to enable large array optimizations. */
   var LARGE_ARRAY_SIZE = 200;
@@ -2672,16 +2672,10 @@
         value.forEach(function(subValue) {
           result.add(baseClone(subValue, bitmask, customizer, subValue, value, stack));
         });
-
-        return result;
-      }
-
-      if (isMap(value)) {
+      } else if (isMap(value)) {
         value.forEach(function(subValue, key) {
           result.set(key, baseClone(subValue, bitmask, customizer, key, value, stack));
         });
-
-        return result;
       }
 
       var keysFunc = isFull
@@ -3605,8 +3599,8 @@
         return;
       }
       baseFor(source, function(srcValue, key) {
+        stack || (stack = new Stack);
         if (isObject(srcValue)) {
-          stack || (stack = new Stack);
           baseMergeDeep(object, source, key, srcIndex, baseMerge, customizer, stack);
         }
         else {
@@ -5423,7 +5417,7 @@
       return function(number, precision) {
         number = toNumber(number);
         precision = precision == null ? 0 : nativeMin(toInteger(precision), 292);
-        if (precision) {
+        if (precision && nativeIsFinite(number)) {
           // Shift with exponential notation to avoid floating-point issues.
           // See [MDN](https://mdn.io/round#Examples) for more details.
           var pair = (toString(number) + 'e').split('e'),
@@ -6606,7 +6600,7 @@
     }
 
     /**
-     * Gets the value at `key`, unless `key` is "__proto__".
+     * Gets the value at `key`, unless `key` is "__proto__" or "constructor".
      *
      * @private
      * @param {Object} object The object to query.
@@ -6614,6 +6608,10 @@
      * @returns {*} Returns the property value.
      */
     function safeGet(object, key) {
+      if (key === 'constructor' && typeof object[key] === 'function') {
+        return;
+      }
+
       if (key == '__proto__') {
         return;
       }
@@ -10414,6 +10412,7 @@
           }
           if (maxing) {
             // Handle invocations in a tight loop.
+            clearTimeout(timerId);
             timerId = setTimeout(timerExpired, wait);
             return invokeFunc(lastCallTime);
           }
@@ -14800,9 +14799,12 @@
       , 'g');
 
       // Use a sourceURL for easier debugging.
+      // The sourceURL gets injected into the source that's eval-ed, so be careful
+      // with lookup (in case of e.g. prototype pollution), and strip newlines if any.
+      // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
       var sourceURL = '//# sourceURL=' +
-        ('sourceURL' in options
-          ? options.sourceURL
+        (hasOwnProperty.call(options, 'sourceURL')
+          ? (options.sourceURL + '').replace(/[\r\n]/g, ' ')
           : ('lodash.templateSources[' + (++templateCounter) + ']')
         ) + '\n';
 
@@ -14835,7 +14837,9 @@
 
       // If `variable` is not specified wrap a with-statement around the generated
       // code to add the data object to the top of the scope chain.
-      var variable = options.variable;
+      // Like with sourceURL, we take care to not check the option's prototype,
+      // as this configuration is a code injection vector.
+      var variable = hasOwnProperty.call(options, 'variable') && options.variable;
       if (!variable) {
         source = 'with (obj) {\n' + source + '\n}\n';
       }
@@ -17040,10 +17044,11 @@
     baseForOwn(LazyWrapper.prototype, function(func, methodName) {
       var lodashFunc = lodash[methodName];
       if (lodashFunc) {
-        var key = (lodashFunc.name + ''),
-            names = realNames[key] || (realNames[key] = []);
-
-        names.push({ 'name': methodName, 'func': lodashFunc });
+        var key = lodashFunc.name + '';
+        if (!hasOwnProperty.call(realNames, key)) {
+          realNames[key] = [];
+        }
+        realNames[key].push({ 'name': methodName, 'func': lodashFunc });
       }
     });
 
diff --git a/package.json b/package.json
index a3109f809..171e6d3b2 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "lodash-amd",
-  "version": "4.17.11",
+  "version": "4.17.12",
   "description": "Lodash exported as AMD modules.",
   "keywords": "amd, modules, stdlib, util",
   "homepage": "https://lodash.com/custom-builds",
@@ -8,11 +8,10 @@
   "repository": "lodash/lodash",
   "license": "MIT",
   "main": "main.js",
-  "author": "John-David Dalton <john.david.dalton@gmail.com> (http://allyoucanleet.com/)",
+  "author": "John-David Dalton <john.david.dalton@gmail.com>",
   "contributors": [
-    "John-David Dalton <john.david.dalton@gmail.com> (http://allyoucanleet.com/)",
-    "Blaine Bublitz <blaine.bublitz@gmail.com> (https://github.com/phated)",
-    "Mathias Bynens <mathias@qiwi.be> (https://mathiasbynens.be/)"
+    "John-David Dalton <john.david.dalton@gmail.com>",
+    "Mathias Bynens <mathias@qiwi.be>"
   ],
   "scripts": { "test": "echo \"See https://travis-ci.org/lodash-archive/lodash-cli for testing details.\"" }
 }
diff --git a/template.js b/template.js
index b0052721a..31622d426 100644
--- a/template.js
+++ b/template.js
@@ -20,6 +20,12 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
   /** Used to match unescaped characters in compiled string literals. */
   var reUnescapedString = /['\n\r\u2028\u2029\\]/g;
 
+  /** Used for built-in method references. */
+  var objectProto = Object.prototype;
+
+  /** Used to check objects for own properties. */
+  var hasOwnProperty = objectProto.hasOwnProperty;
+
   /**
    * Creates a compiled template function that can interpolate data properties
    * in "interpolate" delimiters, HTML-escape interpolated data properties in
@@ -155,7 +161,14 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
     , 'g');
 
     // Use a sourceURL for easier debugging.
-    var sourceURL = 'sourceURL' in options ? '//# sourceURL=' + options.sourceURL + '\n' : '';
+    // The sourceURL gets injected into the source that's eval-ed, so be careful
+    // with lookup (in case of e.g. prototype pollution), and strip newlines if any.
+    // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection.
+    var sourceURL = hasOwnProperty.call(options, 'sourceURL')
+      ? ('//# sourceURL=' +
+         (options.sourceURL + '').replace(/[\r\n]/g, ' ') +
+         '\n')
+      : '';
 
     string.replace(reDelimiters, function(match, escapeValue, interpolateValue, esTemplateValue, evaluateValue, offset) {
       interpolateValue || (interpolateValue = esTemplateValue);
@@ -186,7 +199,9 @@ define(['./assignInWith', './attempt', './_baseValues', './_customDefaultsAssign
 
     // If `variable` is not specified wrap a with-statement around the generated
     // code to add the data object to the top of the scope chain.
-    var variable = options.variable;
+    // Like with sourceURL, we take care to not check the option's prototype,
+    // as this configuration is a code injection vector.
+    var variable = hasOwnProperty.call(options, 'variable') && options.variable;
     if (!variable) {
       source = 'with (obj) {\n' + source + '\n}\n';
     }