fix: avoids prototype pollution

kricsleo · kricsleo · commit 70aa6044f5a7 · 2026-04-01T22:41:30.000+08:00
diff --git a/src/defu.ts b/src/defu.ts
@@ -12,7 +12,7 @@ function _defu<T>(
     return _defu(baseObject, {}, namespace, merger);
   }
 
-  const object = Object.assign({}, defaults);
+  const object = { ...defaults };
 
   for (const key in baseObject) {
     if (key === "__proto__" || key === "constructor") {
diff --git a/test/defu.test.ts b/test/defu.test.ts
@@ -110,6 +110,12 @@ describe("defu", () => {
     defu({}, payload);
     defu(payload, {});
     defu(payload, payload);
+
+    const malicious = JSON.parse('{"__proto__":{"isAdmin":true}}');
+    const result = defu(malicious, { isAdmin: false });
+
+    expect(result.isAdmin).toBe(false);
+
     // @ts-ignore
     expect({}.isAdmin).toBe(undefined);
   });

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ function _defu<T>(`
`12`	`12`	`return _defu(baseObject, {}, namespace, merger);`
`13`	`13`	`}`
`14`	`14`
`15`		`- const object = Object.assign({}, defaults);`
	`15`	`+ const object = { ...defaults };`
`16`	`16`
`17`	`17`	`for (const key in baseObject) {`
`18`	`18`	`if (key === "__proto__" \|\| key === "constructor") {`