From e8ad1140cbfc313e00318e4579e98f129ebe4a83 Mon Sep 17 00:00:00 2001
From: Brett Logan <9400927+lindluni@users.noreply.github.com>
Date: Sun, 15 Dec 2024 22:57:47 -0500
Subject: [PATCH] Fix code scanning alert no. 2: Prototype-polluting function

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 lib/mergeDeep.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/mergeDeep.js b/lib/mergeDeep.js
index b3cf4a0c..ab278e5c 100644
--- a/lib/mergeDeep.js
+++ b/lib/mergeDeep.js
@@ -91,6 +91,10 @@ class MergeDeep {
     // One of the oddities is when we compare objects, we are only interested in the properties of source
     // So any property in the target that is not in the source is not treated as a deletion
     for (const key in source) {
+      // Skip prototype pollution vectors
+      if (key === "__proto__" || key === "constructor") {
+        continue;
+      }
       // Logic specific for Github
       // API response includes urls for resources, or other ignorable fields; we can ignore them
       if (key.indexOf('url') >= 0 || this.ignorableFields.indexOf(key) >= 0) {