Fix prototype pollution

[gjasny]

Hello,

are you aware of the prototype pollution of lib/merge.js reported in 418sec/huntr#647?
Could you please provide a fixed version?

Thanks,
Gregor

[Marsup]

Thanks for the report, I have some comments though:

• First, what a shitty way to expose vulnerabilities in the open (not you, the original repo that does that, I understand you're not involved)
• hoek has been deprecated for a very long time now, there's a warning you can't really miss on npm (https://www.npmjs.com/package/hoek)
• As for the original report, it's not at all a prototype pollution, you have an object with a property "prototype" that contains all those things, that's it, it's just a POJO. If there was a prototype pollution, you'd be able to access the value with object.isAdmin, which is not the case in hoek nor in @hapi/hoek

[gjasny]

Thank you for your comment. I'm a C++ developer, not a JavaScript one. I mostly interact with the JS world by triaging our internal static code analysis reports. Do I understand correctly that there is no vulnerability and you don't have to take any action?

[Marsup]

Correct. Their report is a gross misunderstanding of how JS works, I'm not saying hoek is free of prototype pollution, but if that's the case we have no knowledge of that.

[cjihrig]

Closing as not an issue. Thanks for the report though.