Security leak in _.flatten and _.isEqual, please update (1.13.8 tag will be pushed later)

[jgonggrijp]

I just published version 1.13.8, which fixes a security issue in _.flatten and _.isEqual. Under very specific circumstances, it could allow for a Denial of Service (DoS) attack in server applications. This bug was present in all previous versions of Underscore.

We will hold the details in relative obscurity until most users have upgraded (for a maximum of two weeks). For this reason, the code changes are not yet visible on GitHub. Please subscribe to this issue if you want to be notified when we push the changes.

While the new version has already been released, the code changes will still be publicly reviewed after they are revealed here on GitHub.

EDIT: we will also be publishing a CVE later. This is currently being prepared.

[jgonggrijp]

Shoutout to @ByamB4, who discovered the vulnerability, analyzed it thoroughly, and described the issue to us with great clarity. He also helped to double-check that no other functions were affected.