@naturalcycles/js-lib 15.71.1 → 15.71.2

package/dist/datetime/localDate.js

@@ -450,6 +450,7 @@ export class LocalDate {
         return this.toISODate();
     }
     format(fmt) {
+        // oxlint-disable-next-line no-restricted-globals
         if (fmt instanceof Intl.DateTimeFormat) {
             return fmt.format(this.toDate());
         }

package/dist/datetime/localTime.js

@@ -647,6 +647,7 @@ export class LocalTime {
         return this.unix;
     }
     format(fmt) {
+        // oxlint-disable-next-line no-restricted-globals
         if (fmt instanceof Intl.DateTimeFormat) {
             return fmt.format(this.$date);
         }
@@ -862,6 +863,7 @@ class LocalTimeFactory {
     isTimezoneValid(tz) {
         if (tz === 'UTC')
             return true; // we deliberately consider UTC a valid timezone, while it's mostly used in testing
+        // oxlint-disable-next-line no-restricted-globals
         return Intl.supportedValuesOf('timeZone').includes(tz);
     }
     sort(items, dir = 'asc', opt = {}) {

package/dist/intl/intl.js

@@ -1,5 +1,6 @@
 import { __decorate } from "tslib";
 import { _Memo } from '../decorators/memo.decorator.js';
+// oxlint-disable no-restricted-globals
 /**
  * Returns cached Intl.* formatters, because they are known to be
  * very slow to create.

package/dist/object/object.util.js

@@ -113,6 +113,8 @@ export function _filterObject(obj, predicate, opt = {}) {
         }
         return obj;
     }
+    // Not vulnerable to prototype pollution: writes to a new {}, where __proto__
+    // assignment only changes the new object's prototype, not Object.prototype.
     const r = {};
     for (const [k, v] of _objectEntries(obj)) {
         if (predicate(k, v, obj)) {
@@ -133,6 +135,8 @@ export function _filterObject(obj, predicate, opt = {}) {
  * To skip some key-value pairs - use _mapObject instead.
  */
 export function _mapValues(obj, mapper, opt = {}) {
+    // Not vulnerable to prototype pollution: writes to a new {} (or mutates the
+    // source in-place where own data properties shadow the __proto__ accessor).
     const map = opt.mutate ? obj : {};
     for (const [k, v] of Object.entries(obj)) {
         map[k] = mapper(k, v, obj);
@@ -148,6 +152,8 @@ export function _mapValues(obj, mapper, opt = {}) {
  * To skip some key-value pairs - use _mapObject instead.
  */
 export function _mapKeys(obj, mapper) {
+    // Not vulnerable to prototype pollution: writes to a new {}, where __proto__
+    // assignment only changes the new object's prototype, not Object.prototype.
     const map = {};
     for (const [k, v] of Object.entries(obj)) {
         map[mapper(k, v, obj)] = v;
@@ -171,6 +177,8 @@ export function _mapKeys(obj, mapper) {
  * Non-string keys are passed via String(...)
  */
 export function _mapObject(obj, mapper) {
+    // Not vulnerable to prototype pollution: writes to a new {}, where __proto__
+    // assignment only changes the new object's prototype, not Object.prototype.
     const map = {};
     for (const [k, v] of Object.entries(obj)) {
         const r = mapper(k, v, obj);
@@ -204,6 +212,8 @@ export function _deepCopy(o, reviver) {
  * otherwise it's not worth it (use normal object spread then).
  */
 export function _mergeObjects(obj1, obj2) {
+    // Not vulnerable to prototype pollution: writes to a new {}, where __proto__
+    // assignment only changes the new object's prototype, not Object.prototype.
     const map = {};
     for (const k of Object.keys(obj1))
         map[k] = obj1[k];
@@ -259,6 +269,8 @@ export function _merge(target, ...sources) {
         if (!_isObject(source))
             continue;
         for (const key of Object.keys(source)) {
+            if (key === '__proto__' || key === 'constructor' || key === 'prototype')
+                continue;
             if (_isObject(source[key])) {
                 ;
                 target[key] ||= {};
@@ -284,6 +296,9 @@ export function _deepTrim(o) {
         return o.trim();
     }
     if (typeof o === 'object') {
+        // Not vulnerable to prototype pollution: mutates in-place on the same object.
+        // If __proto__ is an own data property (e.g. from JSON.parse), reads and writes
+        // go through the own property, not the Object.prototype accessor.
         for (const k of Object.keys(o)) {
             o[k] = _deepTrim(o[k]);
         }
@@ -301,6 +316,9 @@ export function _unset(obj, prop) {
         return;
     }
     const segs = prop.split('.');
+    // Prevent prototype pollution
+    if (segs.includes('__proto__') || segs.includes('constructor'))
+        return;
     let last = segs.pop();
     while (segs.length && segs[segs.length - 1].endsWith('\\')) {
         last = segs.pop().slice(0, -1) + '.' + last;
@@ -363,6 +381,10 @@ export function _set(obj, path, value) {
     else if (!path.length) {
         return obj;
     }
+    // Prevent prototype pollution
+    if (path.includes('__proto__') || path.includes('constructor')) {
+        return obj;
+    }
     // oxlint-disable-next-line unicorn/no-array-reduce
     ;
     path.slice(0, -1).reduce((a, c, i) => Object(a[c]) === a[c] // Does the key exist and is its value an object?
@@ -410,6 +432,8 @@ export function _has(obj, path) {
  * Based on: https://github.com/substack/deep-freeze/blob/master/index.js
  */
 export function _deepFreeze(o) {
+    // Not vulnerable to prototype pollution: read-only traversal, only calls
+    // Object.freeze — never assigns properties from one object to another.
     Object.freeze(o);
     Object.getOwnPropertyNames(o).forEach(prop => {
         if (o.hasOwnProperty(prop) &&

package/dist/string/slugify.js

@@ -61,6 +61,5 @@ function decamelize(s) {
 function escapeStringRegexp(s) {
     // Escape characters with special meaning either inside or outside character sets.
     // Use a simple backslash escape when it’s always valid, and a `\xnn` escape when the simpler form would be disallowed by Unicode patterns’ stricter grammar.
-    // oxlint-disable-next-line unicorn/escape-case, unicorn/no-hex-escape
     return s.replaceAll(/[|\\{}()[\]^$+*?.]/g, String.raw `\$&`).replaceAll('-', String.raw `\x2d`);
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@naturalcycles/js-lib",
   "type": "module",
-  "version": "15.71.1",
+  "version": "15.71.2",
   "dependencies": {
     "tslib": "^2"
   },

package/src/datetime/localDate.ts

@@ -532,6 +532,7 @@ export class LocalDate {
   }
 
   format(fmt: Intl.DateTimeFormat | LocalDateFormatter): string {
+    // oxlint-disable-next-line no-restricted-globals
     if (fmt instanceof Intl.DateTimeFormat) {
       return fmt.format(this.toDate())
     }

package/src/datetime/localTime.ts

@@ -778,6 +778,7 @@ export class LocalTime {
   }
 
   format(fmt: Intl.DateTimeFormat | LocalTimeFormatter): string {
+    // oxlint-disable-next-line no-restricted-globals
     if (fmt instanceof Intl.DateTimeFormat) {
       return fmt.format(this.$date)
     }
@@ -1009,6 +1010,7 @@ class LocalTimeFactory {
    */
   isTimezoneValid(tz: string): boolean {
     if (tz === 'UTC') return true // we deliberately consider UTC a valid timezone, while it's mostly used in testing
+    // oxlint-disable-next-line no-restricted-globals
     return Intl.supportedValuesOf('timeZone').includes(tz)
   }
 

package/src/intl/intl.ts

@@ -1,6 +1,8 @@
 import { _Memo } from '../decorators/memo.decorator.js'
 import type { IANATimezone } from '../types.js'
 
+// oxlint-disable no-restricted-globals
+
 /**
  * Returns cached Intl.* formatters, because they are known to be
  * very slow to create.

package/src/object/object.util.ts

@@ -153,6 +153,8 @@ export function _filterObject<T extends AnyObject>(
     return obj
   }
 
+  // Not vulnerable to prototype pollution: writes to a new {}, where __proto__
+  // assignment only changes the new object's prototype, not Object.prototype.
   const r = {} as T
   for (const [k, v] of _objectEntries(obj)) {
     if (predicate(k, v, obj)) {
@@ -178,6 +180,8 @@ export function _mapValues<OUT = unknown, IN extends AnyObject = AnyObject>(
   mapper: ObjectMapper<IN, any>,
   opt: MutateOptions = {},
 ): OUT {
+  // Not vulnerable to prototype pollution: writes to a new {} (or mutates the
+  // source in-place where own data properties shadow the __proto__ accessor).
   const map: any = opt.mutate ? obj : {}
   for (const [k, v] of Object.entries(obj)) {
     map[k] = mapper(k, v, obj)
@@ -194,6 +198,8 @@ export function _mapValues<OUT = unknown, IN extends AnyObject = AnyObject>(
  * To skip some key-value pairs - use _mapObject instead.
  */
 export function _mapKeys<T extends AnyObject>(obj: T, mapper: ObjectMapper<T, string>): T {
+  // Not vulnerable to prototype pollution: writes to a new {}, where __proto__
+  // assignment only changes the new object's prototype, not Object.prototype.
   const map = {} as T
   for (const [k, v] of Object.entries(obj)) {
     map[mapper(k, v, obj) as keyof T] = v
@@ -221,6 +227,8 @@ export function _mapObject<OUT = unknown, IN extends AnyObject = AnyObject>(
   obj: IN,
   mapper: ObjectMapper<IN, KeyValueTuple<string, any> | typeof SKIP>,
 ): OUT {
+  // Not vulnerable to prototype pollution: writes to a new {}, where __proto__
+  // assignment only changes the new object's prototype, not Object.prototype.
   const map: any = {}
   for (const [k, v] of Object.entries(obj)) {
     const r = mapper(k, v, obj)
@@ -260,6 +268,8 @@ export function _deepCopy<T>(o: T, reviver?: Reviver): T {
  * otherwise it's not worth it (use normal object spread then).
  */
 export function _mergeObjects<T>(obj1: StringMap<T>, obj2: StringMap<T>): StringMap<T> {
+  // Not vulnerable to prototype pollution: writes to a new {}, where __proto__
+  // assignment only changes the new object's prototype, not Object.prototype.
   const map: StringMap<T> = {}
   for (const k of Object.keys(obj1)) map[k] = obj1[k]
   for (const k of Object.keys(obj2)) map[k] = obj2[k]
@@ -316,6 +326,8 @@ export function _merge<T extends AnyObject>(target: T, ...sources: any[]): T {
     if (!_isObject(source)) continue
 
     for (const key of Object.keys(source)) {
+      if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue
+
       if (_isObject(source[key])) {
         ;(target as any)[key] ||= {}
         _merge(target[key], source[key])
@@ -340,6 +352,9 @@ export function _deepTrim<T extends AnyObject | string>(o: T): T {
     return o.trim() as T
   }
   if (typeof o === 'object') {
+    // Not vulnerable to prototype pollution: mutates in-place on the same object.
+    // If __proto__ is an own data property (e.g. from JSON.parse), reads and writes
+    // go through the own property, not the Object.prototype accessor.
     for (const k of Object.keys(o)) {
       o[k] = _deepTrim(o[k])
     }
@@ -361,6 +376,10 @@ export function _unset<T extends AnyObject>(obj: T, prop: string): void {
   }
 
   const segs = prop.split('.')
+
+  // Prevent prototype pollution
+  if (segs.includes('__proto__') || segs.includes('constructor')) return
+
   let last = segs.pop()
   while (segs.length && segs[segs.length - 1]!.endsWith('\\')) {
     last = segs.pop()!.slice(0, -1) + '.' + last
@@ -431,6 +450,11 @@ export function _set<T extends AnyObject>(obj: T, path: PropertyPath, value: any
     return obj as any
   }
 
+  // Prevent prototype pollution
+  if ((path as any[]).includes('__proto__') || (path as any[]).includes('constructor')) {
+    return obj
+  }
+
   // oxlint-disable-next-line unicorn/no-array-reduce
   ;(path as any[]).slice(0, -1).reduce(
     (
@@ -487,6 +511,8 @@ export function _has<T extends AnyObject>(obj: T, path: string): boolean {
  * Based on: https://github.com/substack/deep-freeze/blob/master/index.js
  */
 export function _deepFreeze(o: any): void {
+  // Not vulnerable to prototype pollution: read-only traversal, only calls
+  // Object.freeze — never assigns properties from one object to another.
   Object.freeze(o)
 
   Object.getOwnPropertyNames(o).forEach(prop => {

package/src/string/slugify.ts

@@ -102,6 +102,5 @@ function decamelize(s: string): string {
 function escapeStringRegexp(s: string): string {
   // Escape characters with special meaning either inside or outside character sets.
   // Use a simple backslash escape when it’s always valid, and a `\xnn` escape when the simpler form would be disallowed by Unicode patterns’ stricter grammar.
-  // oxlint-disable-next-line unicorn/escape-case, unicorn/no-hex-escape
   return s.replaceAll(/[|\\{}()[\]^$+*?.]/g, String.raw`\$&`).replaceAll('-', String.raw`\x2d`)
 }