hasOwnProperty was exported accidentally from the package

[iegik]

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch @emotion/react@11.11.3 for the project I'm working on.

I found that hasOwnProperty was exported accidentally:

var hasOwnProperty = {}.hasOwnProperty;
...
exports.hasOwnProperty = hasOwnProperty;

Here is the diff that solved my problem:

diff --git a/node_modules/@emotion/react/dist/emotion-element-48d2c2e4.cjs.dev.js b/node_modules/@emotion/react/dist/emotion-element-48d2c2e4.cjs.dev.js
index 9836e58..2c3b083 100644
--- a/node_modules/@emotion/react/dist/emotion-element-48d2c2e4.cjs.dev.js
+++ b/node_modules/@emotion/react/dist/emotion-element-48d2c2e4.cjs.dev.js
@@ -306,7 +306,6 @@ exports.ThemeContext = ThemeContext;
 exports.ThemeProvider = ThemeProvider;
 exports.__unsafe_useEmotionCache = __unsafe_useEmotionCache;
 exports.createEmotionProps = createEmotionProps;
-exports.hasOwnProperty = hasOwnProperty;
 exports.isBrowser = isBrowser;
 exports.useTheme = useTheme;
 exports.withTheme = withTheme;

This issue body was partially generated by patch-package.

[iegik]

Fix added #3159

[Andarist]

You are not mentioning what the problem is though. I don't see how this would be relevant for the final consumer (like you). It's an internal file.

[iegik]

Problem is that hasOwnProperty already exists in exports object. The emotion/react bundle tries override the method with new one. This is dumb and can be omitted by this patch. See other packages in the same project, where hasOwnProperty where used. ({}.hasOwnProperty)

For-more, since exports is actually an object, it has already exports the .hasOwnProperty property through the prototype.

[Andarist]

For-more, since exports is actually an object, it has already exports the .hasOwnProperty property through the prototype.

I'm aware of that. But what problem does this overridden method create here? We can freely override methods like this as long as it's not observable in a negative way.

[iegik]

Cut your finger and attach again. No problem, isn't it? :)

[Andarist]

I'm sorry - I don't understand what you mean and I still don't see what the reported problem is. I'd appreciate if you'd focus on technical sides of things here.

[iegik]

To prevent changes to prototype objects I use Object.freeze(Object.prototype) as mentioned as a solution here: https://portswigger.net/web-security/prototype-pollution/preventing

It works with most other packages. And throws an error with emotion.

The error looks like this:

TypeError: Cannot assign to read only property 'hasOwnProperty' of object '[object Object]'

node_modules/@emotion/react/dist/emotion-react.cjs.dev.js:5:22

// var emotionElement = require('./emotion-element-48d2c2e4.cjs.dev.js');
// ...
// var hasOwnProperty = {}.hasOwnProperty;
// ...
// exports.hasOwnProperty = hasOwnProperty;

[Andarist]

fixed by #3159