Example:

original object, two fields, fontValueTitle and fontValueSubitle are pointing to one object

const genericFonts = [
  {
    "family": "serif",
  }, {
    "family": "sans-serif",
  },
]

const configDefaults = {
    fontValueTitle: genericFonts[0],
    fontValueSubitle: genericFonts[0],
}

then I'm doning this:

let config = {
    fontValueTitle: {
        family:"customFont1"
    }, 
    fontValueSubtitle: {
        family:"customFont2"
    }
}
config = deepExtend({...configDefaults}, config)

and the output is

{
    fontValueTitle: {
        family:"customFont2"
    }, 
    fontValueSubtitle: {
        family:"customFont2"
    }
}

The title does include Node, but I was wondering if this is safe to use in the browser?

Hey from Node.js here!,

Starting on Node 10 this package will emit deprecation warnings. See this guide on what you should do in order to migrate to Buffer.alloc/Buffer.from.

See nodejs/node#19079 for discussion around this change and why we can't make new Buffer work

When trying to use this library with react-native it throws the following error saying Buffer is not defined.

I know I can install buffer as a dependency but I would like to avoid adding another dependency to my project when we aren't using Buffer at all.

I resolved the error by adding the following to my code before I used deepExtend.

global.Buffer = global.Buffer || class Buffer {}

if you actually need the functionality for another library, install buffer as a dependency

global.Buffer = global.Buffer || require('buffer').Buffer

Would a PR that adds support for Symbols be accepted?

In the current state they are dropped since they are not a enumerable property which are the only ones that are managed since Object.keys is used.

The license information in package.json is deprecated / misleading.

According to the package.json specification, an SPDX license expression 2.0 compliant license string should be provided under field license in a package.json. License objects like { type: "MIT", url: "..."} under license as well as license object arrays under licenses are deprecated.

This project has both a valid SPDX license string under license (MIT) as well as the deprecated licenses field, so removing the latter will fix the issue.

I came across this when building a tool to extract license information from all dependencies of a project and mapping them to canonical licenses. Encountering two fields carrying the same information makes it hard to decide which one to use.

var book={};
var book.info = [ 
        {
            "title" : "Session 1",
           "description" : "XYZ"
        }, 
        {
            "title" : "Session 2",
          "description": "YYY"
        }
    ]

var dataToSave ={data:[]}

extend(dataToSave, book);

it shows: 


dataToSave.data = [ 
        {
            "title" : "Session 1",
           "description" : "XYZ"
        }, 
        {
            "title" : "Session 1",
           "description" : "XYZ"
        }
    ]

As you can see final data gives same elements in array, Please help me out!

Thanks,

Hey there!

I belong to an open source security research community, and a member (@ranjit-git) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Hi, I have an issue when doing the following:

var deepExtend = require('deep-extend'),

var obj = {
d: new Date()
};

deepExtend({}, obj); // gives { d: {} }

var extendedObj = deepExtend({
    a: [1,2,3]
}, {
    a: [2,3]
});
console.log(extendedObj);
// { a: [ 2, 3, 3 ] }, however in my situation I expect { a: [ 2, 3 ] }

It seems that deep-extend uses replacement by index in array and concat two arrays, however in my situation I want to override the first array value, how to do that?

When I try

function BearerStrategy() {
}

BearerStrategy.prototype.authenticate = function () {
};

const extended = deepExtend({}, { strategies: [
  new BearerStrategy(),
] });

extended.strategies.forEach((s) => {
  console.log('extended', s.authenticate);
});

const s = new BearerStrategy();
console.log('original', s.authenticate);

The output will be:

extended undefined
original [Function]

which is totally wrong

Here is a code that make dextend crashes:

var dextend = require('deep-extend');

var left = {
    framework: {
        session: null
    }
};

var right = {
    framework: {
        session: { handler_id: null }
    }
};

dextend(left, right);

The error is:

./node_modules/deep-extend/index.js:55
                src = target[key];
                            ^
TypeError: Cannot read property 'handler_id' of null

Some missing initialization with { } I guess

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack > watchpack > chokidar > fsevents > node-pre-gyp >   │
│               │ rc > deep-extend                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server > chokidar > fsevents > node-pre-gyp > rc │
│               │ > deep-extend                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Edit: It's fixed in 9423fae and #40

• rc got updated: dominictarr/rc@b633779
• node-pre-gyp mapbox/node-pre-gyp#379
• fsevents needs to update node-pre-gyp
• chokidar needs to update fsevents
• webpack-dev-server and watchpack needs to update chokidar
• webpack needs to update watchpack

> extend = require('deep-extend')
[Function]
> Q = { defaults: { instructions: null } };
{ defaults: { instructions: null } }
> SQ = { defaults: { prompt: { image: null } } };
{ defaults: { prompt: { image: null } } }
> extend(Q, SQ)
{ defaults: { instructions: null, prompt: { image: {} } } }

With jQuery.extend, image is still null.

In your README you point out that extending j: [1, 2] with j: [3, 4] will return j: [3,4 ] and I don't want that behavior... there is an option for concat arrays?

I am pretty confused about the logic in README:

• f was 5 initially,
• f is [] in extending object,
• f becomes null in target object.

Now that's what I call a surprise! Please correct me if I'm wrong to expect f == [] in target.

TIA

Inside the main loop there is a simple if statement:

for (key in obj) {
  if ( ! (key in obj)) continue;
  ...
}

This if statement was introduced as a response to issue #5:
3f79474#diff-168726dbe96b3ce427e7fedce31bb0bcR53

Previously the code looked like this:

for (key in obj) {
  if (obj[key] !== void 0) {
    ...
  }
}

Ok, so previously undefined (here written as void 0) was ignored, where as the new code treats it just as any other value. But I cannot understand what the new if-statement actually does? What edge case will trigger it?

No doubt Buffer support is good addition to this module. But I was using deep-extend with browserify. After including the Buffer, browserify output increases by ~30kb.
Is there any work around to avoid Buffer inclusion while browserify the deep-extend as my application doesn't require Buffer support ?

when I ran the following code, I was surprised by the result

const target = {}
deepExtend(
  target,
  {
    series: [{ center: [1, 2], other: 1, dif: 2 }]
  },
  { series: [{ center: [3, 4] }] }
)
console.log(target, 'reuslt')

this outputs {"series":[{"center":[3,4]}]}.

Shouldn't the correct result be {"series":[{"center":[3,4],"other": 1,"dif": 2}]}?

when combine two big objects, will cause Maximum call stack size exceeded

The error code:

deep-extend.js?ffeb:104 Uncaught RangeError: Maximum call stack size exceeded
    at Array.forEach (<anonymous>)
    at eval (deep-extend.js?ffeb:104)
    at Array.forEach (<anonymous>)
    at module.exports (deep-extend.js?ffeb:98)
    at eval (deep-extend.js?ffeb:137)
    at Array.forEach (<anonymous>)
    at eval (deep-extend.js?ffeb:104)
    at Array.forEach (<anonymous>)
    at module.exports (deep-extend.js?ffeb:98)
    at eval (deep-extend.js?ffeb:137)

a = {a: [1]}
b = {a: [2]}
c = {c: 3}
_.deepExtend.({}, a, b, c)

Expected behavior:
deepExtend tries to combine the Objects, but does not modify the data in a, b, or c.

Actual behavior:
deepExtend modifies the value of a.

According to https://hackerone.com/reports/311333, deep-extend is vulnerable to prototype pollution attacks. The vulnerability exists in the utility function where the prototype of Object can be overwritten to add or modify existing property on all objects.
Could you fix this as deep-extend is used in other packages such as https://github.com/dominictarr/rc
Thank you.

Values, which are set, should be used even if the value is undefined - example

var extend = require('deep-extend');

var a = {
    b: 1,
    c: 2
};

var b = {
    b: undefined,
    c: false
};

console.log(extend(a, b));

Actual output { b: 1, c: false } expected { b: undefined, c: false }. This line should instead use if (key in obj)

When extending an object into a second, the Map values of the first don't get copied.