From 560262564d7b0a41a4fbc01400e16b01411b2f6b Mon Sep 17 00:00:00 2001
From: Laurin Quast <laurinquast@googlemail.com>
Date: Thu, 14 Apr 2022 09:52:40 +0200
Subject: [PATCH] fix: possible prototype pollution within merge

---
 src/merge.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/merge.js b/src/merge.js
index d428b14..49f467b 100644
--- a/src/merge.js
+++ b/src/merge.js
@@ -6,6 +6,7 @@ export function merge(a, b, k) {
 			}
 		} else {
 			for (k in b) {
+				if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;
 				a[k] = merge(a[k], b[k]);
 			}
 		}