fix: [SDK-4150] prevent prototype pollution in JSONP calls (#1442)

Author: fadi-george

.cursor/rules/bun.md

@@ -77,7 +77,7 @@
     },
     {
       "path": "./build/releases/OneSignalSDK.page.es6.js",
-      "limit": "41.94 kB",
+      "limit": "41.96 kB",
       "gzip": true
     },
     {

.cursor/rules/pr-conventions.md

@@ -0,0 +1,25 @@
+const { mockJsonp } = vi.hoisted(() => ({
+  mockJsonp: vi.fn(),
+}));
+
+vi.mock('jsonp', () => ({ default: mockJsonp }));
+
+describe('jsonpLib', () => {
+  test('passes explicit options to prevent prototype pollution', async () => {
+    vi.resetModules();
+    const { jsonpLib } = await import('./page');
+
+    const fn = vi.fn();
+    jsonpLib('https://example.com', fn);
+
+    expect(mockJsonp).toHaveBeenCalledWith(
+      'https://example.com',
+      expect.objectContaining({
+        prefix: '__jp',
+        param: 'callback',
+        timeout: 60000,
+      }),
+      fn,
+    );
+  });
+});

package.json

@@ -8,7 +8,12 @@ export function jsonpLib(
   url: string,
   fn: (err: Error | null, data: ServerAppConfig) => void,
 ) {
-  JSONP(url, undefined, fn);
+  // Explicit opts prevent prototype pollution
+  JSONP(
+    url,
+    { prefix: '__jp', name: undefined, param: 'callback', timeout: 60000 },
+    fn,
+  );
 }
 
 export async function downloadServerAppConfig(