Prototype pollution vulnerability in merge function

[spratt]

A vulnerability detection tool I use is flagging the merge function, and particularly this line: https://github.com/lukeed/dset/blob/master/src/merge.js#L9

The tool says that the function is vulnerable to prototype pollution as per this paper: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

Reading through the code and the paper, it seems like there is a check to mitigate prototype pollution in the dset function that uses merge, but not in merge itself. Would the merge function benefit from such a check? Or would that break something?

Thanks, Simon

[n1ru4l]

I created a PR for this: https://github.com/lukeed/dset/pull/34

[lukeed]

Closed by #34 and #38

[matthewtusker]

44 suggests that the vulnerability still exists.