From 6ad6035b901b3d680beac82de39ca83a93885246 Mon Sep 17 00:00:00 2001
From: yeikos <yeikos@gmail.com>
Date: Sat, 27 Oct 2018 19:25:39 +0200
Subject: [PATCH 1/2] Fix prototype pollution

---
 LICENSE        |  2 +-
 bower.json     |  2 +-
 merge.js       |  4 +++-
 merge.min.js   |  4 ++--
 package.json   |  4 ++--
 tests/tests.js | 38 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/LICENSE b/LICENSE
index a0fdbba..5538057 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2014 yeikos - http://www.yeikos.com
+Copyright (c) 2014 yeikos
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/bower.json b/bower.json
index bd5de03..a35de11 100644
--- a/bower.json
+++ b/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "merge",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "homepage": "https://github.com/yeikos/js.merge",
   "authors": [
     "yeikos <yeikos@gmail.com>"
diff --git a/merge.js b/merge.js
index d856db6..2aafcad 100644
--- a/merge.js
+++ b/merge.js
@@ -1,5 +1,5 @@
 /*!
- * @name JavaScript/NodeJS Merge v1.2.0
+ * @name JavaScript/NodeJS Merge v1.2.1
  * @author yeikos
  * @repository https://github.com/yeikos/js.merge
 
@@ -128,6 +128,8 @@
 
 			for (var key in item) {
 
+				if (key === '__proto__') continue;
+
 				var sitem = clone ? Public.clone(item[key]) : item[key];
 
 				if (recursive) {
diff --git a/merge.min.js b/merge.min.js
index 9f8b578..00d1b1d 100644
--- a/merge.min.js
+++ b/merge.min.js
@@ -1,3 +1,3 @@
-/*! JavaScript/NodeJS Merge v1.2.0 | Copyright 2014 yeikos - MIT license | https://github.com/yeikos/js.merge */
+/*! JavaScript/NodeJS Merge v1.2.1 | Copyright 2014 yeikos - MIT license | https://github.com/yeikos/js.merge */
 
-;(function(e){function r(e,t){if(s(e)!=="object")return t;for(var n in t){if(s(e[n])==="object"&&s(t[n])==="object"){e[n]=r(e[n],t[n])}else{e[n]=t[n]}}return e}function i(e,n,i){var o=i[0],u=i.length;if(e||s(o)!=="object")o={};for(var a=0;a<u;++a){var f=i[a],l=s(f);if(l!=="object")continue;for(var c in f){var h=e?t.clone(f[c]):f[c];if(n){o[c]=r(o[c],h)}else{o[c]=h}}}return o}function s(e){return{}.toString.call(e).slice(8,-1).toLowerCase()}var t=function(e){return i(e===true,false,arguments)},n="merge";t.recursive=function(e){return i(e===true,true,arguments)};t.clone=function(e){var n=e,r=s(e),i,o;if(r==="array"){n=[];o=e.length;for(i=0;i<o;++i)n[i]=t.clone(e[i])}else if(r==="object"){n={};for(i in e)n[i]=t.clone(e[i])}return n};if(e){module.exports=t}else{window[n]=t}})(typeof module==="object"&&module&&typeof module.exports==="object"&&module.exports);
\ No newline at end of file
+;(function(e){function r(e,t){if(s(e)!=="object")return t;for(var n in t){if(s(e[n])==="object"&&s(t[n])==="object"){e[n]=r(e[n],t[n])}else{e[n]=t[n]}}return e}function i(e,n,i){var o=i[0],u=i.length;if(e||s(o)!=="object")o={};for(var a=0;a<u;++a){var f=i[a],l=s(f);if(l!=="object")continue;for(var c in f){if(c==="__proto__")continue;var h=e?t.clone(f[c]):f[c];if(n){o[c]=r(o[c],h)}else{o[c]=h}}}return o}function s(e){return{}.toString.call(e).slice(8,-1).toLowerCase()}var t=function(e){return i(e===true,false,arguments)},n="merge";t.recursive=function(e){return i(e===true,true,arguments)};t.clone=function(e){var n=e,r=s(e),i,o;if(r==="array"){n=[];o=e.length;for(i=0;i<o;++i)n[i]=t.clone(e[i])}else if(r==="object"){n={};for(i in e)n[i]=t.clone(e[i])}return n};if(e){module.exports=t}else{window[n]=t}})(typeof module==="object"&&module&&typeof module.exports==="object"&&module.exports);
\ No newline at end of file
diff --git a/package.json b/package.json
index 1db8020..8175b65 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "merge",
-  "version": "1.2.0",
-  "author": "yeikos (http://www.yeikos.com)",
+  "version": "1.2.1",
+  "author": "yeikos",
   "description": "Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.",
   "main": "merge.js",
   "license": "MIT",
diff --git a/tests/tests.js b/tests/tests.js
index 22959aa..8731178 100644
--- a/tests/tests.js
+++ b/tests/tests.js
@@ -50,6 +50,25 @@ test('merge', function() {
 
 });
 
+test('merge (prototype pollution attack)', function() {
+
+	deepEqual(
+
+		merge({}, JSON.parse('{"__proto__": {"a": true}}')),
+		{}
+
+	);
+
+	deepEqual(
+
+		{}.a,
+
+		undefined
+
+	);
+
+});
+
 test('merge (clone)', function() {
 
 	var input = {
@@ -143,6 +162,25 @@ test('merge.recursive', function() {
 
 });
 
+test('merge.recursive (prototype pollution attack)', function() {
+
+	deepEqual(
+
+		merge.recursive({}, JSON.parse('{"__proto__": {"a": true}}')),
+		{}
+
+	);
+
+	deepEqual(
+
+		{}.a,
+
+		undefined
+
+	);
+
+});
+
 test('merge.recursive (clone)', function() {
 
 	var input = { a: { b: 1 } };

From b31e67fe6592390c967c991aa604c06ed2ae8c4f Mon Sep 17 00:00:00 2001
From: yeikos <yeikos@gmail.com>
Date: Sat, 27 Oct 2018 19:29:39 +0200
Subject: [PATCH 2/2] link broken

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a8d599a..f5fed8d 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ console.log(merge.recursive(true, original, { x: { z: 2 } }));
 ## Browser Usage
 
 ```html
-<script src="http://files.yeikos.com/merge.js"></script>
+<script src="https://cdn.jsdelivr.net/gh/yeikos/js.merge/merge.js"></script>
 <script>
 	var original, cloned;