Merge pull request #384 from 418sec/1-npm-convict

Security Fix for Prototype Pollution - huntr.dev

Author: dannycoates

packages/convict/src/main.js

@@ -561,8 +561,10 @@ const convict = function convict(def, opts) {
       const path = k.split('.')
       const childKey = path.pop()
       const parentKey = path.join('.')
-      const parent = walk(this._instance, parentKey, true)
-      parent[childKey] = v
+      if (!(parentKey == '__proto__' || parentKey == 'constructor' || parentKey == 'prototype')) {
+        const parent = walk(this._instance, parentKey, true)
+        parent[childKey] = v 
+      }
       return this
     },