From f2967db42430e64d6d55c5d8c91a04f208a6cecc Mon Sep 17 00:00:00 2001
From: Yadhav Jayaraman <57544838+decyjphr@users.noreply.github.com>
Date: Fri, 27 Sep 2024 12:21:56 -0400
Subject: [PATCH] Fix code scanning alert no. 2: Prototype-polluting function

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 lib/mergeDeep.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/mergeDeep.js b/lib/mergeDeep.js
index 054a5b34..da50bc92 100644
--- a/lib/mergeDeep.js
+++ b/lib/mergeDeep.js
@@ -91,6 +91,10 @@ class MergeDeep {
     // One of the oddities is when we compare objects, we are only interested in the properties of source
     // So any property in the target that is not in the source is not treated as a deletion
     for (const key in source) {
+      // Skip prototype pollution properties
+      if (key === "__proto__" || key === "constructor") {
+        continue;
+      }
       // Logic specific for Github
       // API response includes urls for resources, or other ignorable fields; we can ignore them
       if (key.indexOf('url') >= 0 || this.ignorableFields.indexOf(key) >= 0) {