prototype pollution vulnerability

[ChiralMichael]

Deepmerge has prototype pollution issues. Both what recently hit lodash, as well as merging objects containing '__proto__' definitions. Repros are in the link and elsewhere.

https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution-security-vulnerabilities-affecting-all-versions-of-lodash/

[ChiralMichael]

Sorry, this is a mistake. I will have a positive repro before re-opening.

[macdja38]

@ChiralMichael Please report vulnerabilities in a private fashion so that we have at least some time to decide how to fix them before releasing the info publicly along with a patched version.

At the moment I don't think we really have a good way of security vulnerabilities, we'll try and come up with something soon.

[ChiralMichael]

Jake,

Makes sense, I will do in the future. At any rate, I retract the vulnerability, further investigates shows that you are fine. I am sorry for the spam.

--michael

On Fri, Aug 9, 2019 at 8:42 AM Jake notifications@github.com wrote:

@ChiralMichael https://github.com/ChiralMichael Please report vulnerabilities in a private fashion so that we have at least some time to decide how to fix them before releasing the info publicly along with a patched version.

At the moment I don't think we really have a good way of security vulnerabilities, we'll try and come up with something soon.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/TehShrike/deepmerge/issues/158?email_source=notifications&email_token=ABHVKNHNUP4QI6VICZESZVTQDWF7XA5CNFSM4IKESW4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD37BESY#issuecomment-519967307, or mute the thread https://github.com/notifications/unsubscribe-auth/ABHVKNDRE35C5OY7755P463QDWF7XANCNFSM4IKESW4A .