According to MDN docs on proto, all A.__proto__ = B should actually be Object.setPrototypeOf(A, B).
__proto__ is only allowed to keep compatibility, and represents a huge security vulnerability surface.
This would also allow "hardening" nodejs with --disable-proto=delete|throw.
guimard
commented
2 years ago
According to MDN docs on proto, all
A.__proto__ = Bshould actually beObject.setPrototypeOf(A, B).__proto__is only allowed to keep compatibility, and represents a huge security vulnerability surface. This would also allow "hardening" nodejs with--disable-proto=delete|throw.