Merge commit from fork

Rich-Harris · web-flow · commit 0623a47c9555 · 2025-08-26T18:06:41.000-04:00
* disallow __proto__ property on object

* changeset

* changeset
diff --git a/.changeset/huge-ads-study.md b/.changeset/huge-ads-study.md
@@ -0,0 +1,5 @@
+---
+'devalue': patch
+---
+
+fix: disallow array method access when parsing
diff --git a/.changeset/rich-clouds-walk.md b/.changeset/rich-clouds-walk.md
@@ -0,0 +1,5 @@
+---
+'devalue': patch
+---
+
+fix: disallow `__proto__` properties on objects
diff --git a/src/parse.js b/src/parse.js
@@ -44,7 +44,9 @@ export function unflatten(parsed, revivers) {
 		if (index === NEGATIVE_INFINITY) return -Infinity;
 		if (index === NEGATIVE_ZERO) return -0;
 
-		if (standalone) throw new Error(`Invalid input`);
+		if (standalone || typeof index !== 'number') {
+			throw new Error(`Invalid input`);
+		}
 
 		if (index in hydrated) return hydrated[index];
 
@@ -177,6 +179,10 @@ export function unflatten(parsed, revivers) {
 			hydrated[index] = object;
 
 			for (const key in value) {
+				if (key === '__proto__') {
+					throw new Error('Cannot parse an object with a `__proto__` property');
+				}
+
 				const n = value[key];
 				object[key] = hydrate(n);
 			}
diff --git a/test/test.js b/test/test.js
@@ -681,6 +681,16 @@ const invalid = [
 		name: 'empty array',
 		json: '[]',
 		message: 'Invalid input'
+	},
+	{
+		name: 'prototype pollution',
+		json: '[{"__proto__":1},{}]',
+		message: 'Cannot parse an object with a `__proto__` property'
+	},
+	{
+		name: 'bad index',
+		json: '[{"0":1,"toString":"push"},"hello"]',
+		message: 'Invalid input'
 	}
 ];
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'devalue': patch
 +---
++
 +fix: disallow array method access when parsing