prisma-sql 1.76.2 → 1.77.0

package/dist/index.js

@@ -8073,6 +8073,14 @@ function buildKey(row, fields) {
 }
 
 // src/builder/select/reducer.ts
+var UNSAFE_PROPERTY_NAMES = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+function assertSafePropertyName(name) {
+  if (UNSAFE_PROPERTY_NAMES.has(name)) {
+    throw new Error(
+      `Unsafe property name '${name}' rejected to prevent prototype pollution`
+    );
+  }
+}
 function buildRelationScalarCols(relModel, relPath, includeAllScalars, selectedScalarFields) {
   const jsonSet = getJsonFieldSet(relModel);
   const scalarFields = includeAllScalars ? getScalarFieldNames(relModel) : selectedScalarFields;
@@ -8104,6 +8112,7 @@ function buildReducerConfig(parentModel, includeSpec, allModels, prefix = "", de
   const modelMap = new Map(allModels.map((m) => [m.name, m]));
   for (const [incName, incValue] of Object.entries(includeSpec)) {
     if (incValue === false) continue;
+    assertSafePropertyName(incName);
     const field = parentModel.fields.find((f) => f.name === incName);
     if (!field || !field.isRelation) {
       throw new Error(
@@ -8181,7 +8190,7 @@ function initNestedPlaceholders(obj, nested) {
 function materializeRelationObject(row, rel) {
   const relKey = buildKey(row, rel.keyCols);
   if (relKey == null) return null;
-  const obj = {};
+  const obj = /* @__PURE__ */ Object.create(null);
   for (const c of rel.scalarCols) {
     obj[c.fieldName] = parseJsonIfNeeded(c.isJson, row[c.colName]);
   }
@@ -8249,7 +8258,7 @@ function reduceFlatRows(rows, config) {
     if (parentKey == null) continue;
     let record = resultMap.get(parentKey);
     if (!record) {
-      record = {};
+      record = /* @__PURE__ */ Object.create(null);
       for (const fieldName of parentScalarFields) {
         record[fieldName] = maybeParseJson(
           row[fieldName],