Critical

`deep-defaults` CVE-2021-25944

Prototype Pollution in deep-defaults.

The problem

deep-defaults <= 1.0.5 (all published versions) is affected by CVE-2021-25944 (CWE-1321 Prototype Pollution). The published package has no fix available — exactly what npm audit reports. `deep-defaults` recursively fills in defaults from a source object. With no guard on reserved property names, a source object parsed from untrusted JSON containing `__proto__` causes the recursion to walk into `Object.prototype` and add properties there, polluting every object in the process.

The fix — drop-in, no code changes

Add an overrides entry so every direct and transitive dependency on deep-defaults resolves to the patched fork, then reinstall:

{
  "overrides": {
    "deep-defaults": "npm:@keep-lts/deep-defaults@^1.0.6"
  }
}

Equivalent for Yarn: use resolutions. The public API is unchanged — nothing else to do.

✓ Live on npm: @keep-lts/deep-defaults · or install directly: npm i @keep-lts/deep-defaults

What we changed

Source keys naming a prototype slot (`__proto__`, `constructor`, `prototype`) are skipped, so untrusted data can never reach `Object.prototype`. All legitimate default-merging behavior is preserved (verified by the ported upstream behavior cases).

Proof of concept (the vulnerability)

const dd = require('deep-defaults');
dd({}, JSON.parse('{"__proto__":{"polluted":"yes"}}'));
console.log(({}).polluted); // => 'yes'

Patched version@keep-lts/deep-defaults@1.0.6

Weekly downloads (affected pkg)14,302

Regression tests4 passing

LicenseMIT

How we keep it trustworthy

Minimal, surgical patch — security only, no feature changes.
A regression test that fails on the original and passes on the patch; legitimate behaviour preserved.
Published under the @keep-lts org with the full advisory and tests inside the package; upstream license & attribution retained.

Full advisory and changelog ship inside the package (SECURITY.md, CHANGELOG.md).

← All maintained packages