@adobe/alloy 2.30.1-beta.15 → 2.30.1-beta.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/libEs5/constants/libraryVersion.js +1 -1
  2. package/libEs5/utils/deepAssign.js +5 -0
  3. package/libEs6/constants/libraryVersion.js +1 -1
  4. package/libEs6/utils/deepAssign.js +6 -0
  5. package/package.json +1 -1
  6. package/types/utils/deepAssign.d.ts.map +1 -1
package/libEs5/constants/libraryVersion.js CHANGED
@@ -14,4 +14,4 @@ governing permissions and limitations under the License.
14
14
  */
15
15
  // The __VERSION__ keyword will be replace at alloy build time with the package.json version.
16
16
  // see babel-plugin-version
17
- var _default = exports.default = "2.30.1-beta.15";
17
+ var _default = exports.default = "2.30.1-beta.16";
package/libEs5/utils/deepAssign.js CHANGED
@@ -15,8 +15,13 @@ OF ANY KIND, either express or implied. See the License for the specific languag
15
15
  governing permissions and limitations under the License.
16
16
  */
17
17
 
18
+ // Keys that should never be copied to prevent prototype pollution.
19
+ const DANGEROUS_KEYS = ["__proto__", "constructor", "prototype"];
18
20
  const deepAssignObject = (target, source) => {
19
21
  Object.keys(source).forEach(key => {
22
+ if (DANGEROUS_KEYS.includes(key)) {
23
+ return;
24
+ }
20
25
  if ((0, _isObject.default)(target[key]) && (0, _isObject.default)(source[key])) {
21
26
  deepAssignObject(target[key], source[key]);
22
27
  return;
package/libEs6/constants/libraryVersion.js CHANGED
@@ -13,4 +13,4 @@ governing permissions and limitations under the License.
13
13
  // The __VERSION__ keyword will be replace at alloy build time with the package.json version.
14
14
  // see babel-plugin-version
15
15
 
16
- export default "2.30.1-beta.15";
16
+ export default "2.30.1-beta.16";
package/libEs6/utils/deepAssign.js CHANGED
@@ -12,8 +12,14 @@ governing permissions and limitations under the License.
12
12
 
13
13
  import isNil from "./isNil.js";
14
14
  import isObject from "./isObject.js";
15
+
16
+ // Keys that should never be copied to prevent prototype pollution.
17
+ const DANGEROUS_KEYS = ["__proto__", "constructor", "prototype"];
15
18
  const deepAssignObject = (target, source) => {
16
19
  Object.keys(source).forEach(key => {
20
+ if (DANGEROUS_KEYS.includes(key)) {
21
+ return;
22
+ }
17
23
  if (isObject(target[key]) && isObject(source[key])) {
18
24
  deepAssignObject(target[key], source[key]);
19
25
  return;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@adobe/alloy",
3
- "version": "2.30.1-beta.15",
3
+ "version": "2.30.1-beta.16",
4
4
  "description": "Adobe Experience Platform Web SDK",
5
5
  "type": "module",
6
6
  "main": "libEs5/index.js",
package/types/utils/deepAssign.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"deepAssign.d.ts","sourceRoot":"","sources":["../../packages/core/src/utils/deepAssign.js"],"names":[],"mappings":"AAkCe,+DAUd"}
1
+ {"version":3,"file":"deepAssign.d.ts","sourceRoot":"","sources":["../../packages/core/src/utils/deepAssign.js"],"names":[],"mappings":"AAwCe,+DAUd"}