847 dependencies scanned · 18 min ago
A prototype pollution vulnerability in lodash allows attackers to inject properties into Object.prototype via the merge, mergeWith, and defaultsDeep functions. This can lead to remote code execution when untrusted input is passed to these functions.
Upgrade lodash to version 4.17.22 or later. Run: npm install [email protected]. If upgrading is not immediately possible, validate all inputs to merge/mergeWith/defaultsDeep and reject objects with __proto__ or constructor keys.