Mirrors/lodash
1
0
Fork 0
mirror of https://github.com/whoisclebs/lodash.git synced 2026-01-29 06:27:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,683 Commits 7 Branches 423 Tags
edadd452146f7e4bad4ea684e955708931d84d81
Commit Graph

2081 Commits

Author SHA1 Message Date
Ulises Gascón
edadd45214 Prevent prototype pollution on baseUnset function 
* test: add tests to prevent security regressions

* sec: prevent prototype pollution on `baseUnset` function

* chore: improve security patch

- Expand both `_.omit` & `_.unset` security tests to loop over `__proto__`, `constructor`, `prototype`
- Only block `__proto__` if not an own property
 2025-12-05 13:29:20 -05:00
Ulises Gascón
4afb725803 Add CI pipeline for Node (#6022) 
* chore: linting

* ci: add ci pipeline for Node.js

* ci: add support for Node@25

* Update .github/workflows/ci-node.yml

Co-authored-by: Jon Church <me@jonchurch.com>

---------

Co-authored-by: Jon Church <me@jonchurch.com>
 2025-10-27 06:31:52 -04:00
Michał Lipiński
c4847ebe7d Improve performance of toNumber, trim and trimEnd on large input strings 
This prevents potential ReDoS attacks using `_.toNumber` and `_.trim*`
as potential attack vectors.

Closes #5065.
 2021-02-20 17:18:39 +08:00
Christophe Coevoet
3469357cff Prevent command injection through _.template's variable option 
Closes #5085.
 2021-02-20 16:28:01 +08:00
Benjamin Tan
00f0f62a97 test.js: Remove trailing comma. 2020-07-26 19:38:01 +08:00
Jakub Mikulas
c84fe82760 fix(zipObjectDeep): prototype pollution (#4759) 2020-07-02 14:47:49 -07:00
Alex Brasetvik
e7b28ea6cb Sanitize sourceURL so it cannot affect evaled code (#4518) 2020-06-03 23:36:12 -07:00
Chinedum Ukejianya
0cec225778 Fix lodash.isEqual for circular references (#4320) (#4515) 2019-10-16 14:43:11 -07:00
Michał Lipiński
659e8c019c Ensure orderBy will accept iteratee path arrays #4438 (#4513) 2019-10-10 13:04:37 -07:00
Graeme Yeates
602cc3f03d (4.17) Short circuit sortedIndexBy methods for empty arrays (#4497) 2019-10-04 10:23:55 -07:00
John-David Dalton
17a34bc585 Fix test bootstrap for core build. 2019-07-09 12:48:18 -07:00
John-David Dalton
53838a38f8 Fix tests in older browsers. 2019-07-09 12:43:33 -07:00
John-David Dalton
29e258497b Fix style:test lint nits. 2019-07-09 09:53:48 -07:00
John-David Dalton
deb65de218 Revert "perf(toNumber): use +value to convert binary/octal/hexadecimal string (#4230)" 
This reverts commit 7084300d34.
 2019-07-09 09:29:54 -07:00
Kirill
1f8ea07746 fix: prototype pollution in _.defaultsDeep (#4336) 2019-06-24 09:17:55 -07:00
Jeff Friesen
343456d696 Round Infinity with a precision argument returns Infinity (#4272) 
* Round Infinity with a precision argument returns Infinity

* Also making sure this is true for -Infinity
* Tested with _.round(), _.floor() and _.ceil()

* Switch to using isFinite to check if number should be rounded

* Add tests for rounding NaN now that there is an isFinite check
 2019-04-18 13:04:18 -07:00
Marc Hassan
0b8592a35c mergeWith: stack passed to customizer should always be defined (#4244) 
Summary:
If the first values encountered in the `object` in mergeWith are not objects, `stack` is undefined when passed to the `customizer`. Once the first object-ish value is encountered, `stack` gets initialized, and all further calls to `customizer` include a defined `stack`. This PR makes `stack` always defined, even before the first object-ish value is encountered.
 2019-03-21 20:54:53 -07:00
Amu
7084300d34 perf(toNumber): use +value to convert binary/octal/hexadecimal string (#4230) 2019-03-13 22:47:28 -07:00
John-David Dalton
d8ddc1a15f Add test for indirectly merging Object properties. 2018-08-31 15:34:45 -07:00
John-David Dalton
278c6dd33d Cleanup _.merge tests for function properties. 2018-08-30 22:58:11 -07:00
sina
79b9d20a91 Fix inconsistent merging of multiple sources to function property 2018-08-30 22:35:04 -07:00
John-David Dalton
6e62e1e8df Cleanup ReDoS test. 2018-08-30 22:33:55 -07:00
Manuel Jasso
5c08f18d36 Prevent ReDoS 
To fix https://github.com/lodash/lodash/issues/3359, modified reHasUnicodeWord to remove an unnecessary comma which made the regex greedy, this is only a test regex and not a matching regex. Added unit tests, this now should run under 5 ms instead of over 1000 ms for huge 50k+ char words.
 2018-08-30 22:07:27 -07:00
John-David Dalton
90e6199a16 Ensure Object.prototype is not augmented by _.merge. 2018-08-30 22:06:15 -07:00
John-David Dalton
5e58cd216c Fix style nits. 2018-02-03 21:25:41 -08:00
John-David Dalton
d8e069cc34 Avoid merging properties on to __proto__ objects. 2018-01-30 23:21:12 -08:00
John-David Dalton
e33b15674d Ensure _.omit doesn’t mutate object with deep paths. [closes #2912] 2016-12-30 18:09:11 -06:00
John-David Dalton
ec74813be6 Add non-enumerable symbol tests. 2016-11-24 00:07:26 -06:00
John-David Dalton
67926a4df2 Minor test nit. 2016-11-24 00:07:26 -06:00
John-David Dalton
40a591d0c0 Test _.isEqual crawls symbol properties. 2016-11-24 00:07:26 -06:00
John-David Dalton
a3e077324a Add support for comparing symbol properties to _.isEqual. [closes #2840] 2016-11-21 23:34:21 -06:00
John-David Dalton
95d3477c22 Fix code style nits. 2016-11-15 22:04:15 -08:00
John-David Dalton
a06d1a0313 Add _.omit and _.pick tests for keys over paths. 2016-11-15 21:47:03 -08:00
John-David Dalton
330c8cb46e Cleanup path tests. 2016-11-15 21:46:14 -08:00
John-David Dalton
4cb7bea97d Ensure _.spread doesn’t include arguments after those spread. [closes #2825] 2016-11-15 10:41:11 -08:00
John-David Dalton
ce093845e1 Ensure _.pick supports path arrays. [closes #2809] 2016-11-14 01:06:35 -08:00
John-David Dalton
102c5f00d7 Ensure _.pickBy doesn’t treat keys with dots as deep paths. [closes #2808] 2016-11-14 00:49:47 -08:00
John-David Dalton
2e4c997dba Use more clear condition in unclonable test. 2016-11-07 23:00:31 -08:00
John-David Dalton
5aaf7e40ae Cleanup deep path tests. 2016-11-07 23:00:21 -08:00
Aviv Rosental
9ac729e1bc Add deep functionality for _.omit and _.pick. (#2794) 2016-11-06 17:02:41 -08:00
John-David Dalton
3217118fab Add more _.spread tests. 2016-11-06 00:39:13 -07:00
John-David Dalton
1b3815928d Ensure fp.mergeAllWith accepts more than 2 sources. [closes #2786] 2016-11-04 01:10:54 -07:00
John-David Dalton
62b66305f2 Adjust conditional assignments. 2016-10-31 20:34:49 -07:00
John-David Dalton
0fcf43b02b Ensure _.xor returns an empty array when comparing the same array. [closes #2776] 2016-10-31 16:32:58 -07:00
John-David Dalton
d7dbf0951d Add another _.xor test for multiple arrays. 2016-10-29 18:32:23 -07:00
John-David Dalton
daf6de6a46 Add uncloneable Proxy constructor test. 2016-10-29 18:32:23 -07:00
John-David Dalton
7d4c3ed404 Add async function detection to _.isFunction. 2016-10-29 18:32:23 -07:00
John-David Dalton
b91a515258 Cleanup test labels. 2016-10-27 00:06:59 -07:00
John-David Dalton
bc5729a9de Use consistent nullish checks. 2016-10-27 00:06:59 -07:00
John-David Dalton
729d1a57aa Ensure _.xor works with more than two arrays. [closes #2758] 2016-10-27 00:06:59 -07:00