Release 3.9.4 breaks code that depended on .hasOwnProperty()

[isdampe]

Pull #2574 looks like it introduced breaking changes that set the Object prototype to null (and not Object.prototype). A consequence of this is that returned records can no longer call methods of Object.prototype such as hasOwnProperty.

[sidorares]

@wellwelwel maybe freeze Object.prototype instead of inheriting from null?

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html https://portswigger.net/web-security/prototype-pollution/preventing

@isdampe the "correct" way of calling hasOwnProperty should account for a possible null-prototype https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwnProperty#objects_created_with_object.createnull but you are right, this should not be introduced in a minor version change

We either need to fix this error somehow in 3.x or bump major version ( and fix in 3.x )

[wellwelwel]

I don't think we'll need a major version bump for this, but I'll perform some tests and check again to be sure.

Progress:

• 2591

---

Related: https://github.com/sidorares/node-mysql2/pull/2574#issuecomment-2047118083

[wellwelwel]

Note to self

Including a safe recommendation from MDN for this in docs (especially in case of a major bump version):

const obj = Object.create(null);

obj.test = true;

Object.hasOwn(obj, 'test'); // ✅