protofree is a module designed to increase the security of node.js through eliminating usage
of the __proto__ object property.
In node.js, all regular objects contain a obj.__proto__ property, which can be used to query the
prototype of an object, as well as assigning it another prototype. This "magic" property has been
the cause of numerous security issues through the years,
both by accidentially modifying the global Object.prototype, and by assigning a new prototype to
an existing object, and changing its behavior.
Given these issues, and that it is an API where any usage can be replaced with other safer APIs, there is no good reason to continue allowing this surprising behavior.
npm install protofree
protofree is intended to be injected into node through the --require option.
Three variants are available to use with --require:
protofree/apply – Completely removes the special obj.__proto__ handling from node.protofree/partial – Change obj.__proto__ to always return undefined.protofree/deprecate – Preserves obj.__proto__ handling, but logs each use with
console.trace().In general, the protofree/apply variant should be used. However, it can cause issues when using
modules that continue to rely on the __proto__ property for modifying the prototype. In that case,
the protofree/partial variant can be used. While it doesn't protect against accidental re-assignment, it does protect against the more serious global Object.prototype poisoning.
The protofree/deprecate is not for normal usage, but rather for development and testing.
It can help expose existing usage of obj.__proto__ in your code or dependencies.
Note that these can also be injected into node through the NODE_OPTIONS env variable, eg.
NODE_OPTIONS="-r protofree/apply". If desired, the relevant variant can also be required normally,
or the API can be used to activate it manually through the protofree module.
node -r protofree/apply index.js
To avoid using __proto__ in your own code, the eslint
no-proto rule can be enabled.
An API is exposed through requiring the main module:
const ProtoFree = require('protofree);
ProtoFree.apply([options])Enable an override of the __proto__ property. Without any options, the property is deleted, and will no longer have any special meaning.
options - optional settings:
partial - Only changes the getter to always return undefined.deprecate - Preserves __proto__ handling, but logs each use with options.tracer or
console.trace.tracer - Method that is called whenever the __proto__ property is accessed. Only works
with the deprecate option.ProtoFree.restore()Restores Object.prototype.__proto__ to the default behavior.
FAQs
Disable the __proto__ property for better security
We found that protofree demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A critical vm2 sandbox escape can allow untrusted JavaScript to break isolation and execute commands on the host Node.js process.
Research
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and local files.
Security News
pnpm 11 turns on a 1-day Minimum Release Age and blocks exotic subdeps by default, adding safeguards against fast-moving supply chain attacks.