Commit 080e3b2
fix: block forbidden keys in Queryable setter to prevent prototype pollution
Sanitize __proto__, constructor, and prototype keys in the setKeys
function to prevent prototype pollution via npm pkg set. Previously,
passing __proto__.scripts.postinstall as a key would pollute
Object.prototype, causing @npmcli/package-json to write inherited
properties to disk and enabling RCE on next npm install.
Fixes GHSA-jjm5-4238-9vmw
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>1 parent c5292fa commit 080e3b2
2 files changed
Lines changed: 44 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
| 5 | + | |
| 6 | + | |
5 | 7 | | |
6 | 8 | | |
7 | 9 | | |
| |||
122 | 124 | | |
123 | 125 | | |
124 | 126 | | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
125 | 130 | | |
126 | 131 | | |
127 | 132 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
963 | 963 | | |
964 | 964 | | |
965 | 965 | | |
| 966 | + | |
| 967 | + | |
| 968 | + | |
| 969 | + | |
| 970 | + | |
| 971 | + | |
| 972 | + | |
| 973 | + | |
| 974 | + | |
| 975 | + | |
| 976 | + | |
| 977 | + | |
| 978 | + | |
| 979 | + | |
| 980 | + | |
| 981 | + | |
| 982 | + | |
| 983 | + | |
| 984 | + | |
| 985 | + | |
| 986 | + | |
| 987 | + | |
| 988 | + | |
| 989 | + | |
| 990 | + | |
| 991 | + | |
| 992 | + | |
| 993 | + | |
| 994 | + | |
| 995 | + | |
| 996 | + | |
| 997 | + | |
| 998 | + | |
| 999 | + | |
| 1000 | + | |
| 1001 | + | |
| 1002 | + | |
| 1003 | + | |
| 1004 | + | |
0 commit comments