Add prototype-pollution guards and array key helpers#565
Merged
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #565 +/- ##
==========================================
- Coverage 99.46% 99.43% -0.03%
==========================================
Files 145 150 +5
Lines 4271 4452 +181
Branches 938 955 +17
==========================================
+ Hits 4248 4427 +179
- Misses 23 25 +2
🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds prototype-pollution defenses and new array key helpers. Introduces public forEachOwnKeySafe, isUnsafePropKey, and isUnsafeTarget helpers; routes deep-copy and path-based setters through them; adds arrKeys/polyArrKeys and arrIndexKeys for dense/sparse array-like iteration; and extends lib/src/internal/constants.ts with many new built-in class/prototype constants used by isUnsafeTarget.
Changes:
- New safe iteration / unsafe key & target detection helpers, applied to
objDeepCopy,setValueByKey,setValueByIter,arrGroupBy, andpolyObjFromEntries. - New
arrKeys/arrIndexKeysarray utilities (with polyfill) and tests covering sparse and array-like values. - Constants file gains class/prototype references for Number, Symbol, Function, Date, RegExp, Boolean, Error, Map, Set (plus an unused
MathProto); README, docs, package keywords, and size limits updated.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Documents new security helpers and adds arrKeys/arrIndexKeys and new object helpers to the indexes. |
| package.json, lib/package.json | Adds keywords for the new helpers and a few unrelated terms. |
| .size-limit.json | Raises bundle-size limits to accommodate the new code. |
| docs/README.md, docs/security-helpers.md | Adds the Security Helpers guide. |
| lib/src/index.ts | Exports arrKeys, arrIndexKeys, forEachOwnKeySafe, isUnsafePropKey, isUnsafeTarget. |
| lib/src/internal/constants.ts | Adds many new class/prototype constants (including unused MathProto); direct Map/Set/Symbol global access at module load. |
| lib/src/internal/treeshake_helpers.ts | _pureRef now null-guards value before property access. |
| lib/src/object/forEachOwnKeySafe.ts | New safe own-key iterator skipping __proto__/constructor/prototype. |
| lib/src/object/isUnsafePropKey.ts | Identifies the three poisoning keys. |
| lib/src/object/isUnsafeTarget.ts | Identifies built-in prototype objects via cached list. |
| lib/src/object/for_each_key.ts | Doc note and minor TS typing tweak. |
| lib/src/object/copy.ts | _copyProps now uses forEachOwnKeySafe and skips when isUnsafeTarget(source). |
| lib/src/array/arrKeys.ts, arrIndexKeys.ts | New helpers + polyfill. |
| lib/src/array/groupBy.ts | Uses objDefine so unsafe group keys become own enumerable props instead of mutating prototypes. |
| lib/src/helpers/get_set_value.ts | setValueByKey/setValueByIter reject paths containing unsafe keys. |
| lib/src/polyfills/object/objFromEntries.ts | Defines __proto__ as a real own property instead of triggering the setter. |
| lib/test/src/common/...test.ts | New/updated tests for the helpers and prototype-pollution scenarios. |
nev21
force-pushed
the
nev21/CVE-2026-46681
branch
from
49b734f to
07d629d
Compare
nevware21-bot
previously approved these changes
May 16, 2026
Contributor
nevware21-bot
left a comment
nevware21-bot
left a comment
There was a problem hiding this comment.
Approved by nevware21-bot
nev21
force-pushed
the
nev21/CVE-2026-46681
branch
from
07d629d to
1eec7c7
Compare
nev21
force-pushed
the
nev21/CVE-2026-46681
branch
from
1eec7c7 to
203fc5b
Compare
Add new public helpers for safe own-key iteration and unsafe target/key detection, plus new array key utilities for dense and sparse array-like values. - add forEachOwnKeySafe(), isUnsafePropKey(), and isUnsafeTarget() - update deep copy logic to use safe own-key iteration - add arrKeys() iterator and arrIndexKeys() own-index enumeration - export the new public APIs from the main index - add tests covering sparse arrays, array-like values, and unsafe keys - document the new security helpers in README and docs
nevware21-bot
approved these changes
May 17, 2026
Contributor
nevware21-bot
left a comment
nevware21-bot
left a comment
There was a problem hiding this comment.
Approved by nevware21-bot
nev21
added a commit
that referenced
this pull request
May 19, 2026
## Release v0.14.0 This PR increases the version to `0.14.0` and updates the changelog with all significant changes since v0.13.0. ### Summary of Changes #### Features - New array helpers and array-like detection (#525) - `strReplace` and `strReplaceAll` string helpers (#527) - `strCapitalizeWords` helper (#528) - `strTruncate`, `strCount`, `strAt`, `strMatchAll` helpers (#529, #530) - `arrFlatMap` with ES5 polyfill (#533) - Typing utilities and expanded TSDoc examples (#535) - `isAsyncIterable` and `isIntegerInRange` helpers (#536) - `strStartsWithAny`, `strEndsWithAny`, `strWrap`, `strUnwrap`, `strNormalizeNewlines` (#543) - New object utility helpers and prototype pollution hardening (#564, #565) #### Bug Fixes - Fix ES2015 built-in type errors in consumers by adding lib reference directive to published declarations (#558) - Fix `thisArg` binding in `polyArrFindIndex` / `polyArrFindLastIndex` polyfills (#562) - Fix falsy `thisArg` (0, `''`, `false`) being overridden in `arrForEach`, `iterForOf`, `objForEachKey` (#566) #### Repository Improvements - Drop Node.js 16 from CI matrix and add Node.js 24 (#549) - Upgrade Grunt devDependency to v1.6.2 (#552) - Add funding metadata to published package manifests (#554) ### Files Updated - `CHANGELOG.md` — Added v0.14.0 entry - `package.json` — Version bumped to 0.14.0 - `lib/package.json` — Version bumped to 0.14.0 - `README.md` — Updated recommended version specification
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add new public helpers for safe own-key iteration and unsafe target/key detection, plus new array key utilities for dense and sparse array-like values.