|
1 | 1 | /** |
2 | 2 | * @license |
3 | 3 | * Lodash <https://lodash.com/> |
4 | | - * Copyright JS Foundation and other contributors <https://js.foundation/> |
| 4 | + * Copyright OpenJS Foundation and other contributors <https://openjsf.org/> |
5 | 5 | * Released under MIT license <https://lodash.com/license> |
6 | 6 | * Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE> |
7 | 7 | * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors |
|
12 | 12 | var undefined; |
13 | 13 |
|
14 | 14 | /** Used as the semantic version number. */ |
15 | | - var VERSION = '4.17.11'; |
| 15 | + var VERSION = '4.17.12'; |
16 | 16 |
|
17 | 17 | /** Used as the size to enable large array optimizations. */ |
18 | 18 | var LARGE_ARRAY_SIZE = 200; |
|
2671 | 2671 | value.forEach(function(subValue) { |
2672 | 2672 | result.add(baseClone(subValue, bitmask, customizer, subValue, value, stack)); |
2673 | 2673 | }); |
2674 | | - |
2675 | | - return result; |
2676 | | - } |
2677 | | - |
2678 | | - if (isMap(value)) { |
| 2674 | + } else if (isMap(value)) { |
2679 | 2675 | value.forEach(function(subValue, key) { |
2680 | 2676 | result.set(key, baseClone(subValue, bitmask, customizer, key, value, stack)); |
2681 | 2677 | }); |
2682 | | - |
2683 | | - return result; |
2684 | 2678 | } |
2685 | 2679 |
|
2686 | 2680 | var keysFunc = isFull |
|
3604 | 3598 | return; |
3605 | 3599 | } |
3606 | 3600 | baseFor(source, function(srcValue, key) { |
| 3601 | + stack || (stack = new Stack); |
3607 | 3602 | if (isObject(srcValue)) { |
3608 | | - stack || (stack = new Stack); |
3609 | 3603 | baseMergeDeep(object, source, key, srcIndex, baseMerge, customizer, stack); |
3610 | 3604 | } |
3611 | 3605 | else { |
|
5422 | 5416 | return function(number, precision) { |
5423 | 5417 | number = toNumber(number); |
5424 | 5418 | precision = precision == null ? 0 : nativeMin(toInteger(precision), 292); |
5425 | | - if (precision) { |
| 5419 | + if (precision && nativeIsFinite(number)) { |
5426 | 5420 | // Shift with exponential notation to avoid floating-point issues. |
5427 | 5421 | // See [MDN](https://mdn.io/round#Examples) for more details. |
5428 | 5422 | var pair = (toString(number) + 'e').split('e'), |
|
6605 | 6599 | } |
6606 | 6600 |
|
6607 | 6601 | /** |
6608 | | - * Gets the value at `key`, unless `key` is "__proto__". |
| 6602 | + * Gets the value at `key`, unless `key` is "__proto__" or "constructor". |
6609 | 6603 | * |
6610 | 6604 | * @private |
6611 | 6605 | * @param {Object} object The object to query. |
6612 | 6606 | * @param {string} key The key of the property to get. |
6613 | 6607 | * @returns {*} Returns the property value. |
6614 | 6608 | */ |
6615 | 6609 | function safeGet(object, key) { |
| 6610 | + if (key === 'constructor' && typeof object[key] === 'function') { |
| 6611 | + return; |
| 6612 | + } |
| 6613 | + |
6616 | 6614 | if (key == '__proto__') { |
6617 | 6615 | return; |
6618 | 6616 | } |
|
10413 | 10411 | } |
10414 | 10412 | if (maxing) { |
10415 | 10413 | // Handle invocations in a tight loop. |
| 10414 | + clearTimeout(timerId); |
10416 | 10415 | timerId = setTimeout(timerExpired, wait); |
10417 | 10416 | return invokeFunc(lastCallTime); |
10418 | 10417 | } |
|
14799 | 14798 | , 'g'); |
14800 | 14799 |
|
14801 | 14800 | // Use a sourceURL for easier debugging. |
| 14801 | + // The sourceURL gets injected into the source that's eval-ed, so be careful |
| 14802 | + // with lookup (in case of e.g. prototype pollution), and strip newlines if any. |
| 14803 | + // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection. |
14802 | 14804 | var sourceURL = '//# sourceURL=' + |
14803 | | - ('sourceURL' in options |
14804 | | - ? options.sourceURL |
| 14805 | + (hasOwnProperty.call(options, 'sourceURL') |
| 14806 | + ? (options.sourceURL + '').replace(/[\r\n]/g, ' ') |
14805 | 14807 | : ('lodash.templateSources[' + (++templateCounter) + ']') |
14806 | 14808 | ) + '\n'; |
14807 | 14809 |
|
|
14834 | 14836 |
|
14835 | 14837 | // If `variable` is not specified wrap a with-statement around the generated |
14836 | 14838 | // code to add the data object to the top of the scope chain. |
14837 | | - var variable = options.variable; |
| 14839 | + // Like with sourceURL, we take care to not check the option's prototype, |
| 14840 | + // as this configuration is a code injection vector. |
| 14841 | + var variable = hasOwnProperty.call(options, 'variable') && options.variable; |
14838 | 14842 | if (!variable) { |
14839 | 14843 | source = 'with (obj) {\n' + source + '\n}\n'; |
14840 | 14844 | } |
@@ -17039,10 +17043,11 @@ |
17039 | 17043 | baseForOwn(LazyWrapper.prototype, function(func, methodName) { |
17040 | 17044 | var lodashFunc = lodash[methodName]; |
17041 | 17045 | if (lodashFunc) { |
17042 | | - var key = (lodashFunc.name + ''), |
17043 | | - names = realNames[key] || (realNames[key] = []); |
17044 | | - |
17045 | | - names.push({ 'name': methodName, 'func': lodashFunc }); |
| 17046 | + var key = lodashFunc.name + ''; |
| 17047 | + if (!hasOwnProperty.call(realNames, key)) { |
| 17048 | + realNames[key] = []; |
| 17049 | + } |
| 17050 | + realNames[key].push({ 'name': methodName, 'func': lodashFunc }); |
17046 | 17051 | } |
17047 | 17052 | }); |
17048 | 17053 |
|
|
0 commit comments