Merge commit from fork

elliott-with-the-longest-name-on-github · web-flow · commit 0f04d4d678ea · 2026-02-18T10:47:49.000-07:00
* fix: Properly handle `__proto__`

* throw instead

* another
diff --git a/.changeset/clean-owls-drum.md b/.changeset/clean-owls-drum.md
@@ -0,0 +1,5 @@
+---
+"devalue": patch
+---
+
+fix: Properly handle `__proto__`
diff --git a/src/parse.js b/src/parse.js
@@ -217,7 +217,7 @@ export function unflatten(parsed, revivers) {
 			const object = {};
 			hydrated[index] = object;
 
-			for (const key in value) {
+			for (const key of Object.keys(value)) {
 				if (key === '__proto__') {
 					throw new Error('Cannot parse an object with a `__proto__` property');
 				}
diff --git a/src/stringify.js b/src/stringify.js
@@ -217,7 +217,16 @@ export function stringify(value, reducers) {
 
 					if (Object.getPrototypeOf(thing) === null) {
 						str = '["null"';
-						for (const key in thing) {
+						for (const key of Object.keys(thing)) {
+							if (key === '__proto__') {
+								throw new DevalueError(
+									`Cannot stringify objects with __proto__ keys`,
+									keys,
+									thing,
+									value
+								);
+							}
+
 							keys.push(stringify_key(key));
 							str += `,${stringify_string(key)},${flatten(thing[key])}`;
 							keys.pop();
@@ -226,7 +235,16 @@ export function stringify(value, reducers) {
 					} else {
 						str = '{';
 						let started = false;
-						for (const key in thing) {
+						for (const key of Object.keys(thing)) {
+							if (key === '__proto__') {
+								throw new DevalueError(
+									`Cannot stringify objects with __proto__ keys`,
+									keys,
+									thing,
+									value
+								);
+							}
+
 							if (started) str += ',';
 							started = true;
 							keys.push(stringify_key(key));
diff --git a/src/uneval.js b/src/uneval.js
@@ -131,7 +131,16 @@ export function uneval(value, replacer) {
 						);
 					}
 
-					for (const key in thing) {
+					for (const key of Object.keys(thing)) {
+						if (key === '__proto__') {
+							throw new DevalueError(
+								`Cannot stringify objects with __proto__ keys`,
+								keys,
+								thing,
+								value
+							);
+						}
+
 						keys.push(stringify_key(key));
 						walk(thing[key]);
 						keys.pop();
diff --git a/test/test.js b/test/test.js
@@ -548,7 +548,7 @@ const fixtures = {
 			})(),
 			js: '{x:1}',
 			json: '[{"x":1},1]'
-		}
+		},
 	],
 
 	custom: ((instance) => [
@@ -852,6 +852,21 @@ for (const fn of [uneval, stringify]) {
 		assert.throws(() => fn({ [Symbol()]: null }));
 	});
 
+	uvu.test(`${fn.name} throws for __proto__ keys`, () => {
+		const inner = JSON.parse('{"__proto__":1}');
+		const root = { foo: inner };
+		try {
+			fn(root);
+			assert.unreachable('should have thrown');
+		} catch (e) {
+			assert.equal(e.name, 'DevalueError');
+			assert.equal(e.message, 'Cannot stringify objects with __proto__ keys');
+			assert.equal(e.path, '.foo');
+			assert.equal(e.value, inner);
+			assert.equal(e.root, root);
+		}
+	});
+
 	uvu.test(`${fn.name} populates error.keys and error.path`, () => {
 		try {
 			fn({

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"devalue": patch
 +---
++
 +fix: Properly handle `__proto__`
Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,7 @@ export function unflatten(parsed, revivers) {`
`217`	`217`	`const object = {};`
`218`	`218`	`hydrated[index] = object;`
`219`	`219`
`220`		`- for (const key in value) {`
	`220`	`+ for (const key of Object.keys(value)) {`
`221`	`221`	`if (key === '__proto__') {`
`222`	`222`	throw new Error('Cannot parse an object with a `__proto__` property');
`223`	`223`	`}`