[email protected] prototype setting when bundling json containing a __proto__ key

[lucacasonato]

const DATA = `{
  "hello": "world",
  "__proto__": {
    "sky": "universe"
  }
}
`;

import * as esbuild0_20_0 from "npm:[email protected]";
console.log(esbuild0_20_0.version);
const res0_20_0 = await esbuild0_20_0.build({
  stdin: {
    contents: DATA,
    loader: "json",
  },
  format: "esm",
  write: false,
  absWorkingDir: Deno.cwd(),
});
console.log(res0_20_0.outputFiles[0].text);

import * as esbuild0_20_1 from "npm:[email protected]";
console.log(esbuild0_20_1.version);
const res0_20_1 = await esbuild0_20_1.build({
  stdin: {
    contents: DATA,
    loader: "json",
  },
  format: "esm",
  write: false,
  absWorkingDir: Deno.cwd(),
});
console.log(res0_20_1.outputFiles[0].text);

>>> deno run -A test.ts
0.20.0
var hello = "world";
var __proto__ = {
  sky: "universe"
};
var stdin_default = {
  hello,
  __proto__
};
export {
  __proto__,
  stdin_default as default,
  hello
};

0.20.1
var hello = "world";
var __proto__ = {
  sky: "universe"
};
var stdin_default = {
  hello,
  __proto__: __proto__
};
export {
  __proto__,
  stdin_default as default,
  hello
};

In the 0.20.1 output, the __proto__ field of the JSON is incorrectly written as __proto__: __proto__. This sets the prototype of stdin_default rather than a __proto__ key, like was happening in 0.20.0 and below.

This may be a security issue if users bundle untrusted JSON files into their code (but probably not that bad).

[lucacasonato]

Was broken by ac36537. Discovered through tests in https://github.com/lucacasonato/esbuild_deno_loader

[evanw]

Hmm, I think this perhaps never really worked. Version 0.20.0 can generate incorrect output as well. Thanks for the report! I'll fix this in the next release.

[lucacasonato]

Thanks @evanw for the quick fix!