@mikro-orm/core
Advanced tools
| import { Collection } from './Collection.js'; | ||
| import { Utils } from '../utils/Utils.js'; | ||
| import { DANGEROUS_PROPERTY_NAMES, Utils } from '../utils/Utils.js'; | ||
| import { Reference } from './Reference.js'; | ||
@@ -38,2 +38,6 @@ import { ReferenceKind, SCALAR_TYPES } from '../enums.js'; | ||
| static assignProperty(entity, propName, props, data, options) { | ||
| // needs to happen before the `props` lookup, as those keys resolve to inherited accessors | ||
| if (DANGEROUS_PROPERTY_NAMES.includes(propName)) { | ||
| return; | ||
| } | ||
| let value = data[propName]; | ||
@@ -40,0 +44,0 @@ const onlyProperties = options.onlyProperties && !(propName in props); |
@@ -1,2 +0,2 @@ | ||
| import { Utils } from '../utils/Utils.js'; | ||
| import { DANGEROUS_PROPERTY_NAMES, Utils } from '../utils/Utils.js'; | ||
| import { normalizePartitionNameForComparison, splitCommaSeparatedIdentifiers } from '../utils/partition-utils.js'; | ||
@@ -6,16 +6,4 @@ import { MetadataError } from '../errors.js'; | ||
| /** | ||
| * List of property names that could lead to prototype pollution vulnerabilities. | ||
| * These names should never be used as entity property names because they could | ||
| * allow malicious code to modify object prototypes when property values are assigned. | ||
| * | ||
| * - `__proto__`: Could modify the prototype chain | ||
| * - `constructor`: Could modify the constructor property | ||
| * - `prototype`: Could modify the prototype object | ||
| * | ||
| * @internal | ||
| */ | ||
| const DANGEROUS_PROPERTY_NAMES = ['__proto__', 'constructor', 'prototype']; | ||
| /** | ||
| * @internal | ||
| */ | ||
| export class MetadataValidator { | ||
@@ -22,0 +10,0 @@ validateEntityDefinition(metadata, name, options) { |
+1
-1
| { | ||
| "name": "@mikro-orm/core", | ||
| "version": "7.1.7-dev.8", | ||
| "version": "7.1.7", | ||
| "description": "TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript.", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
+12
-0
@@ -6,2 +6,14 @@ import type { CompiledFunctions, Dictionary, EntityData, EntityDictionary, EntityKey, EntityMetadata, EntityName, EntityProperty, Primary } from '../typings.js'; | ||
| import { type RawQueryFragmentSymbol } from './RawQueryFragment.js'; | ||
| /** | ||
| * List of property names that could lead to prototype pollution vulnerabilities. | ||
| * These names should never be used as entity property names because they could | ||
| * allow malicious code to modify object prototypes when property values are assigned. | ||
| * | ||
| * - `__proto__`: Could modify the prototype chain | ||
| * - `constructor`: Could modify the constructor property | ||
| * - `prototype`: Could modify the prototype object | ||
| * | ||
| * @internal | ||
| */ | ||
| export declare const DANGEROUS_PROPERTY_NAMES: readonly string[]; | ||
| /** Deeply compares two objects for equality, handling dates, regexes, and raw fragments. */ | ||
@@ -8,0 +20,0 @@ export declare function compareObjects(a: any, b: any): boolean; |
+14
-2
@@ -8,2 +8,14 @@ import { clone } from './clone.js'; | ||
| import { Raw, isRaw } from './RawQueryFragment.js'; | ||
| /** | ||
| * List of property names that could lead to prototype pollution vulnerabilities. | ||
| * These names should never be used as entity property names because they could | ||
| * allow malicious code to modify object prototypes when property values are assigned. | ||
| * | ||
| * - `__proto__`: Could modify the prototype chain | ||
| * - `constructor`: Could modify the constructor property | ||
| * - `prototype`: Could modify the prototype object | ||
| * | ||
| * @internal | ||
| */ | ||
| export const DANGEROUS_PROPERTY_NAMES = ['__proto__', 'constructor', 'prototype']; | ||
| function compareConstructors(a, b) { | ||
@@ -145,3 +157,3 @@ if (a.constructor === b.constructor) { | ||
| static PK_SEPARATOR = '~~~'; | ||
| static #ORM_VERSION = '7.1.7-dev.8'; | ||
| static #ORM_VERSION = '7.1.7'; | ||
| /** | ||
@@ -237,3 +249,3 @@ * Checks if the argument is instance of `Object`. Returns false for arrays. | ||
| for (const [key, value] of Object.entries(source)) { | ||
| if (['__proto__', 'constructor', 'prototype'].includes(key)) { | ||
| if (DANGEROUS_PROPERTY_NAMES.includes(key)) { | ||
| continue; | ||
@@ -240,0 +252,0 @@ } |
AI-detected potential code anomaly
Supply chain riskAI has identified unusual behaviors that may pose a security risk.
Found 2 instances
AI-detected potential code anomaly
Supply chain riskAI has identified unusual behaviors that may pose a security risk.
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
1569012
0.05%33558
0.05%1
-50%10
11.11%