Low severity vulnerability that affects extend
A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.
Affected versions: >= 3.0.0 < 3.0.2

Changelog

Sourced fromextend's changelog.

3.0.2 / 2018-07-19
[Fix] Prevent merging__proto__ property (#48)
[Dev Deps] updateeslint,@ljharb/eslint-config,tape
[Tests] up tonodev10.7,v9.11,v8.11,v7.10,v6.14,v4.9; usenvm install-latest-npm

Commits

8d106d2 v3.0.2
e97091f [Dev Deps] updatetape
e841aac [Tests] up tonodev10.7
0e68e71 [Fix] Prevent mergingproto property
a689700 Only apps should have lockfiles
f13c1c4 [Dev Deps] updateeslint,@ljharb/eslint-config,tape
f3570fe [Tests] up tonodev10.0,v9.11,v8.11,v7.10,v6.14,v4.9; use...
See full diff incompare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting@dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge
@dependabot reopen will reopen this PR if it is closed
@dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
@dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabotdashboard:

Update frequency (including time of day and day of week)
Automerge options (never/patch/minor, and dev/runtime dependencies)
Pull request limits (per update run and/or open at any time)
Out-of-range updates (receive only lockfile updates, if desired)
Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning@dependabot.

[Security] Bump extend from 3.0.1 to 3.0.2

d665bed

Bumps [extend](https://github.com/justmoon/node-extend) from 3.0.1 to 3.0.2. **This update includes security fixes.**- [Release notes](https://github.com/justmoon/node-extend/releases)- [Changelog](https://github.com/justmoon/node-extend/blob/master/CHANGELOG.md)- [Commits](justmoon/node-extend@v3.0.1...v3.0.2)Signed-off-by: dependabot[bot] <support@dependabot.com>