diff --git a/.licenses/npm/js-yaml.dep.yml b/.licenses/npm/js-yaml.dep.yml index 86be84ad..f495d93d 100644 --- a/.licenses/npm/js-yaml.dep.yml +++ b/.licenses/npm/js-yaml.dep.yml @@ -1,9 +1,9 @@ --- name: js-yaml -version: 4.1.0 +version: 4.1.1 type: npm summary: YAML 1.2 parser and serializer -homepage: https://github.com/nodeca/js-yaml +homepage: license: mit licenses: - sources: LICENSE diff --git a/dist/index.js b/dist/index.js index 35bb1084..faba4269 100644 --- a/dist/index.js +++ b/dist/index.js @@ -13162,6 +13162,22 @@ function charFromCodepoint(c) { ); } +// set a property of a literal object, while protecting against prototype pollution, +// see https://github.com/nodeca/js-yaml/issues/164 for more details +function setProperty(object, key, value) { + // used for this specific key only because Object.defineProperty is slow + if (key === '__proto__') { + Object.defineProperty(object, key, { + configurable: true, + enumerable: true, + writable: true, + value: value + }); + } else { + object[key] = value; + } +} + var simpleEscapeCheck = new Array(256); // integer, for fast access var simpleEscapeMap = new Array(256); for (var i = 0; i < 256; i++) { @@ -13340,7 +13356,7 @@ function mergeMappings(state, destination, source, overridableKeys) { key = sourceKeys[index]; if (!_hasOwnProperty.call(destination, key)) { - destination[key] = source[key]; + setProperty(destination, key, source[key]); overridableKeys[key] = true; } } @@ -13400,17 +13416,7 @@ function storeMappingPair(state, _result, overridableKeys, keyTag, keyNode, valu throwError(state, 'duplicated mapping key'); } - // used for this specific key only because Object.defineProperty is slow - if (keyNode === '__proto__') { - Object.defineProperty(_result, keyNode, { - configurable: true, - enumerable: true, - writable: true, - value: valueNode - }); - } else { - _result[keyNode] = valueNode; - } + setProperty(_result, keyNode, valueNode); delete overridableKeys[keyNode]; }