npm - mathjs - Versions diffs - 7.5.0 → 7.5.1 - Mend

mathjs 7.5.0 → 7.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/HISTORY.md CHANGED Viewed

@@ -1,5 +1,10 @@
 # History
+# 2020-10-10, version 7.5.1
+- Fix object pollution vulnerability in `math.config`. Thanks Snyk.
 # 2020-10-07, version 7.5.0
 - Function `pickRandom` now allows randomly picking elements from matrices

package/dist/math.js CHANGED Viewed

@@ -6,8 +6,8 @@
  * It features real and complex numbers, units, matrices, a large set of
  * mathematical functions, and a flexible expression parser.
  *
- * @version 7.5.0
- * @date    2020-10-07
+ * @version 7.5.1
+ * @date    2020-10-10
  *
  * @license
  * Copyright (C) 2013-2020 Jos de Jong <wjosdejong@gmail.com>
@@ -1233,7 +1233,9 @@ function deepExtend(a, b) {
   }
   for (var prop in b) {
-    if (hasOwnProperty(b, prop)) {
+    // We check against prop not being in Object.prototype or Function.prototype
+    // to prevent polluting for example Object.__proto__.
+    if (hasOwnProperty(b, prop) && !(prop in Object.prototype) && !(prop in Function.prototype)) {
       if (b[prop] && b[prop].constructor === Object) {
         if (a[prop] === undefined) {
           a[prop] = {};
@@ -60659,7 +60661,7 @@ var createReplacer = /* #__PURE__ */Object(factory["a" /* factory */])(replacer_
   };
 });
 // CONCATENATED MODULE: ./src/version.js
-var version = '7.5.0'; // Note: This file is automatically generated when building math.js.
+var version = '7.5.1'; // Note: This file is automatically generated when building math.js.
 // Changes made in this file will be overwritten.
 // CONCATENATED MODULE: ./src/plain/number/constants.js
 var constants_pi = Math.PI;