fix: exclude __proto__ from walk() (#2699)

[`__proto__`] is a special property to access an object's prototype.  It
has many pitfalls:

- Setting it to an object value changes an object's prototype, which is
  generally discouraged and may be unexpected by the `iterator` callback.
- Setting it to a non-object value does nothing (meaning `seen[k] =
  true` has no effect).
- When Node.js is run with the [`--disable-proto=throw`] option, getting
  or setting `__proto__` causes an exception with code
  `ERR_PROTO_ACCESS` to be thrown.

Additionally, since this property (and all properties of
`Object.prototype`) are currently unused in this project by consumers of
`walk()`, it is both safe and preferable to exclude.

[`__proto__`]: https://tc39.es/ecma262/multipage/fundamental-objects.html#sec-object.prototype.__proto__
[`--disable-proto=throw`]: https://nodejs.org/api/cli.html#disable-protomode

Fixes: #2695

Signed-off-by: Kevin Locke <kevin@kevinlocke.name>

Author: kevinoid

src/sinon/util/core/walk.js

@@ -28,7 +28,13 @@ function walkInternal(obj, iterator, context, originalObj, seen) {
     }
 
     forEach(Object.getOwnPropertyNames(obj), function (k) {
-        if (seen[k] !== true) {
+        // Skip __proto__ because:
+        // - It's not currently useful in this project.
+        // - It's automatic, problematic, and deprecated.
+        // - Assigning to it has special effects (or no effect for non-object)
+        //   which may not be expected/handled properly by iterator callback.
+        // - Getting it throws Error with node --disable-proto=throw.
+        if (k !== "__proto__" && seen[k] !== true) {
             seen[k] = true;
             const target =
                 typeof Object.getOwnPropertyDescriptor(obj, k).get ===