Skip to content

Use Object.create(null) over {} to avoid prototype issues - v16#4631

Merged
benjie merged 1 commit into
16.x.xfrom
obj-create-null-16
Mar 24, 2026
Merged

Use Object.create(null) over {} to avoid prototype issues - v16#4631
benjie merged 1 commit into
16.x.xfrom
obj-create-null-16

Conversation

@benjie

@benjie benjie commented Mar 24, 2026

Copy link
Copy Markdown
Member

Object.create(null) is generally safer since it is not vulnerable to prototype pollution in user code. To avoid breaking changes I've returned { ...obj } thus ensuring that the returned object still has the default Object prototype. An alternative would be Object.setPrototypeOf(obj, Object.prototype), but that messes with hidden classes so I figured this solution is cleaner even though it's an additional object allocation. I've also tidied up the variables orphaned by #4453

@vercel

vercel Bot commented Mar 24, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
graphql-js Ignored Ignored Preview Mar 24, 2026 10:57am

Request Review

@benjie benjie force-pushed the obj-create-null-16 branch from 327c70b to fef1792 Compare March 24, 2026 10:57
@benjie benjie merged commit 13f130d into 16.x.x Mar 24, 2026
36 checks passed
@benjie benjie added the PR: polish 💅 PR doesn't change public API or any observed behaviour label Mar 24, 2026
benjie added a commit that referenced this pull request Mar 24, 2026
@benjie
chore(release): v16.13.2
1383fba 
## v16.13.2 (2026-03-24)

#### Docs 📝
* [#4611](#4611) add dev mode docs ([@yaacovCR](https://github.com/yaacovCR))

#### Polish 💅
* [#4631](#4631) Use `Object.create(null)` over `{}` to avoid prototype issues - v16 ([@benjie](https://github.com/benjie))

#### Internal 🏠
* [#4626](#4626) backport: internal: streamline release process (#4615) ([@yaacovCR](https://github.com/yaacovCR))

#### Committers: 2
* Benjie([@benjie](https://github.com/benjie))
* Yaacov Rydzinski ([@yaacovCR](https://github.com/yaacovCR))
@benjie benjie mentioned this pull request Mar 24, 2026
Merged
benjie added a commit that referenced this pull request Mar 24, 2026
@benjie
Backport #4631 (#4633)
96135e2
@benjie benjie mentioned this pull request Mar 24, 2026
Merged
@abishekgiri abishekgiri mentioned this pull request Apr 15, 2026
Merged
yaacovCR added a commit that referenced this pull request Apr 16, 2026
@benjie @yaacovCR
Use Object.create(null) over {} to avoid prototype issues (#4634)
e09f7da 
Forward-port of #4631. From #4631 (on v16):

> Object.create(null) is generally safer since it is not vulnerable to prototype pollution in user code. To avoid breaking changes I've returned { ...obj } thus ensuring that the returned object still has the default Object prototype.

This PR on v17 skips that latter portion, i.e. on v17 this PR returns `obj` rather than `{ ...obj }`, a BREAKING CHANGE for v17 which minimizes the performance regression.

---------

Co-authored-by: Yaacov Rydzinski <yaacovCR@gmail.com>
@coderabbitai coderabbitai Bot mentioned this pull request Apr 28, 2026
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

PR: polish 💅 PR doesn't change public API or any observed behaviour

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benjie