jonschlinkert / defaults-deep Goto Github PK

View Code? Open in Web Editor NEW

25.0 3.0 12.0 12 KB

Like `extend` but recursively copies only the missing properties/values to the target object.

License: MIT License

JavaScript 100.00%

deep extend merge javascript jonschlinkert nodejs

defaults-deep's Introduction

defaults-deep

Like extend but recursively copies only the missing properties/values to the target object.

Install

Install with npm

$ npm i defaults-deep --save

Install with bower

$ bower install defaults-deep --save

Usage

var defaults = require('defaults-deep');

defaults({a: {one: 'one'}}, {a: {two: 'two'}})
//=> {a: {one: 'one', two: 'two'}};

Related projects

assign-deep: Deeply assign the enumerable properties of source objects to a destination object. If a callback… more
extend-shallow: Extend an object with the properties of additional objects. node.js/javascript util.
merge-deep: Recursively merge values in a javascript object.
mixin-deep: Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone.
omit-deep: Recursively omit the given keys from an object.

Running tests

Install dev dependencies:

$ npm i -d && npm test

Contributing

Pull requests and stars are always welcome. For bugs and feature requests, please create an issue

Author

Jon Schlinkert

License

This file was generated by verb-cli on May 28, 2015.

defaults-deep's People

Contributors

Stargazers

Watchers

Forkers

gimi-org homebrewerluke asko1205 wesm87 game-dev-network evandarwin pi0 omrilotan riddhi77 qsmally logotip4ik scantist-ossops-m2

defaults-deep's Issues

Custom validation callback

Hello,
If found this package pretty useful but the "missing" criteria doesn't match with my needs.
So I would propose (as a new feature) having a custom, optional, callback as the last parameter so the user can modify this at his will.

It could look something like this (3 lines change):

function defaultsDeep(target, objects, isMissing) {
  target = target || {};
  isMissing = isMissing || ((val) => val == null);
  [...]
      if (isMissing(val)) {
        target[key] = value;
      }
  [...]
}

Dependant Package "defaults-deep" is flagged as having a 'moderate' issue

Prior to publishing one of my applications today, ran into this warning today.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ defaults-deep                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ update                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ update > base-cli-process > base-config-process >            │
│               │ base-config-schema > base-pkg > expand-pkg > defaults-deep   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/778                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

don't change origin object

const a = {client: {}};
const b = {test:'test', client: { a: 'b'}};
const c = defaults({}, a, b);

// should not change a
assert(a.client.a === undefined);

Abandoned project?

Due to the lack of issues and PR's being responded to is has this project been abandoned?

One more mistake ;p

WTF https://github.com/jonschlinkert/defaults-deep/blob/master/index.js#L23 There's no defaults expression anywhere in this file ;d

And, why 2 separate modules (this and object.defaults) for only 2 different behaviors seen in 4th and 5th tests of the modules?!

Vulnerability Detected

Prototype Pollution
defaults-deep is vulnerable to prototype pollution. Properties of the Object prototype can be added or modified via JSON.parse, causing a denial of service condition or possibly remote code execution depending on the application.