diff --git a/lib/mergeDeep.js b/lib/mergeDeep.js
index 054a5b34..da50bc92 100644
--- a/lib/mergeDeep.js
+++ b/lib/mergeDeep.js
@@ -91,6 +91,10 @@ class MergeDeep {
     // One of the oddities is when we compare objects, we are only interested in the properties of source
     // So any property in the target that is not in the source is not treated as a deletion
     for (const key in source) {
+      // Skip prototype pollution properties
+      if (key === "__proto__" || key === "constructor") {
+        continue;
+      }
       // Logic specific for Github
       // API response includes urls for resources, or other ignorable fields; we can ignore them
       if (key.indexOf('url') >= 0 || this.ignorableFields.indexOf(key) >= 0) {