fix(docs): add missing prototype pollution warning

.changeset/loud-parrots-admire.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": patch
+---
+
+Add missing prototype-pollution documentation in README

docs/prototype-pollution.md

@@ -0,0 +1,39 @@
+# Prototype Pollution
+
+| Code | Severity | i18n | Experimental |
+| --- | --- | --- | :-: |
+| prototype-pollution | `Warning` | `sast_warnings.prototype_pollution` | ❌ |
+
+## Introduction
+
+Prototype pollution is an attack technique in which an adversary manipulates an object's `__proto__` property to inject or override inherited properties on all objects of that type. Because JavaScript objects share a prototype chain, a successful pollution can affect any code that reads from those inherited properties — enabling unexpected behavior, authentication bypasses, or even remote code execution in some server-side scenarios.
+
+JS-X-Ray raises a `prototype-pollution` warning when it detects:
+
+- **Direct `__proto__` property access** — e.g. `obj.__proto__.foo = "bar"`
+- **Computed `__proto__` property access** — e.g. `obj["__proto__"].foo = "bar"`
+- **The `"__proto__"` string literal** — e.g. `const key = "__proto__"`, which may later be used as a dynamic key
+
+## Examples
+
+```js
+// Direct property access — pollutes every object's prototype
+const obj = {};
+obj.__proto__.polluted = true;
+console.log({}.polluted); // true
+
+// Computed property access — equivalent attack, just harder to spot
+const payload = {};
+payload["__proto__"].isAdmin = true;
+
+// String literal — the key will be tracked as a potential pollution vector
+const key = "__proto__";
+const target = {};
+target[key] = { isAdmin: true };
+```
+
+## Resources
+
+- [OWASP Prototype Pollution](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-Side_Testing/10-Testing_for_Client-Side_Template_Injection)
+- [Prototype Pollution — Portswigger](https://portswigger.net/web-security/prototype-pollution)
+- [HackerOne — Prototype Pollution in lodash](https://hackerone.com/reports/310443)

workspaces/js-x-ray/README.md

@@ -143,6 +143,7 @@ type WarningName =
   | "data-exfiltration"
   | "sql-injection"
   | "monkey-patch"
+  | "prototype-pollution"
   | OptionalWarningName;
 
 interface Warning<T = WarningName> {
@@ -230,6 +231,7 @@ Click on the warning **name** for detailed documentation and examples.
 | [data-exfiltration](https://github.com/NodeSecure/js-x-ray/blob/master/docs/data-exfiltration.md) | No | Potential unauthorized transfer of sensitive data |
 | [sql-injection](https://github.com/NodeSecure/js-x-ray/blob/master/docs/sql-injection.md) | No | Potential SQL injection vulnerability detected |
 | [monkey-patch](https://github.com/NodeSecure/js-x-ray/blob/master/docs/monkey-patch.md) | No | Modification of built-in JavaScript prototype properties |
+| [prototype-pollution](https://github.com/NodeSecure/js-x-ray/blob/master/docs/prototype-pollution.md) | No | Detected use of `__proto__` to pollute object prototypes |
 | [weak-scrypt](https://github.com/NodeSecure/js-x-ray/blob/master/docs/weak-scrypt.md) ⚠️ | **Yes** | Usage of weak scrypt parameters (low cost, short or hardcoded salt) |
 
 #### Information Severity