fix(upgrade): Make rename map prototype-safe (#7414)

jacekradko · web-flow · commit 1b37f2ac05c4 · 2025-12-09T19:28:16.000Z
diff --git a/.changeset/cute-buttons-repair.md b/.changeset/cute-buttons-repair.md
@@ -0,0 +1,5 @@
+---
+'@clerk/upgrade': patch
+---
+
+Update transform-align-experimental-unstable-prefixes to avoid prototype pollution
diff --git a/packages/upgrade/src/codemods/__tests__/__fixtures__/transform-align-experimental-unstable-prefixes.fixtures.js b/packages/upgrade/src/codemods/__tests__/__fixtures__/transform-align-experimental-unstable-prefixes.fixtures.js
@@ -69,6 +69,31 @@ createClerkClient();
     `,
     output: `
 <OrganizationProfile />;
+`,
+  },
+  {
+    name: 'Does not rename class constructors',
+    source: `
+export class AppError extends Error {
+  constructor(
+    message: string,
+    public readonly code: string,
+    public readonly statusCode: number = 500
+  ) {
+    super(message);
+  }
+}
+    `,
+    output: `
+export class AppError extends Error {
+  constructor(
+    message: string,
+    public readonly code: string,
+    public readonly statusCode: number = 500
+  ) {
+    super(message);
+  }
+}
 `,
   },
 ];
diff --git a/packages/upgrade/src/codemods/__tests__/transform-align-experimental-unstable-prefixes.test.js b/packages/upgrade/src/codemods/__tests__/transform-align-experimental-unstable-prefixes.test.js
@@ -6,7 +6,7 @@ import { fixtures } from './__fixtures__/transform-align-experimental-unstable-p
 
 describe('transform-align-experimental-unstable-prefixes', () => {
   it.each(fixtures)('$name', ({ source, output }) => {
-    const result = applyTransform(transformer, {}, { source });
+    const result = applyTransform(transformer, {}, { source }) || source.trim();
 
     expect(result).toEqual(output.trim());
   });
diff --git a/packages/upgrade/src/codemods/transform-align-experimental-unstable-prefixes.cjs b/packages/upgrade/src/codemods/transform-align-experimental-unstable-prefixes.cjs
@@ -1,18 +1,18 @@
-const SPECIFIC_RENAMES = {
-  experimental_createTheme: 'createTheme',
+const SPECIFIC_RENAMES = Object.freeze({
   __experimental_createTheme: 'createTheme',
-  experimental__simple: 'simple',
   __experimental_simple: 'simple',
   __unstable__createClerkClient: 'createClerkClient',
-  __unstable_invokeMiddlewareOnAuthStateChange: '__internal_invokeMiddlewareOnAuthStateChange',
   __unstable__environment: '__internal_environment',
-  __unstable__updateProps: '__internal_updateProps',
-  __unstable__setEnvironment: '__internal_setEnvironment',
-  __unstable__onBeforeRequest: '__internal_onBeforeRequest',
   __unstable__onAfterResponse: '__internal_onAfterResponse',
-  __unstable__onBeforeSetActive: '__internal_onBeforeSetActive',
   __unstable__onAfterSetActive: '__internal_onAfterSetActive',
-};
+  __unstable__onBeforeRequest: '__internal_onBeforeRequest',
+  __unstable__onBeforeSetActive: '__internal_onBeforeSetActive',
+  __unstable__setEnvironment: '__internal_setEnvironment',
+  __unstable__updateProps: '__internal_updateProps',
+  __unstable_invokeMiddlewareOnAuthStateChange: '__internal_invokeMiddlewareOnAuthStateChange',
+  experimental__simple: 'simple',
+  experimental_createTheme: 'createTheme',
+});
 
 const REMOVED_PROPS = new Set([
   '__unstable_manageBillingUrl',
@@ -52,10 +52,10 @@ module.exports = function transformAlignExperimentalUnstablePrefixes({ source },
   let dirty = false;
 
   const maybeRename = name => {
-    if (!name || REMOVED_PROPS.has(name)) {
+    if (!name || REMOVED_PROPS.has(name) || !Object.hasOwn(SPECIFIC_RENAMES, name)) {
       return null;
     }
-    return SPECIFIC_RENAMES[name] ?? null;
+    return SPECIFIC_RENAMES[name];
   };
 
   const renameIdentifier = node => {
@@ -206,9 +206,12 @@ module.exports = function transformAlignExperimentalUnstablePrefixes({ source },
     });
   });
 
-  root.find(j.Identifier).forEach(path => {
-    renameIdentifier(path.node);
-  });
+  root
+    .find(j.Identifier)
+    .filter(path => maybeRename(path.node.name))
+    .forEach(path => {
+      renameIdentifier(path.node);
+    });
 
   root.find(j.JSXOpeningElement).forEach(path => {
     const attributes = path.node.attributes || [];

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@clerk/upgrade': patch
 +---
++
 +Update transform-align-experimental-unstable-prefixes to avoid prototype pollution