From 6022567c754a8f1d0b117168b67324da7200fa3c Mon Sep 17 00:00:00 2001
From: Douglas Christopher Wilson <doug@somethingdoug.com>
Date: Thu, 23 Feb 2017 01:56:58 -0500
Subject: [PATCH] Use setprototypeof module to replace __proto__ setting

closes #1967
closes #2613
closes #3103
closes #3164
---
 History.md             |  1 +
 lib/application.js     | 13 +++++++------
 lib/middleware/init.js | 11 +++++++++--
 lib/router/index.js    |  3 ++-
 package.json           |  1 +
 5 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/History.md b/History.md
index be606575be..5e12afa995 100644
--- a/History.md
+++ b/History.md
@@ -6,6 +6,7 @@ unreleased
     - Improves compatibility with Node.js 8 nightly
   * Skip routing when `req.url` is not set
   * Use `Object.create` to setup request & response prototypes
+  * Use `setprototypeof` module to replace `__proto__` setting
   * Use `statuses` instead of `http` module for status messages
   * deps: debug@2.6.1
     - Allow colors in workers
diff --git a/lib/application.js b/lib/application.js
index 0ee4def389..0fe0eb4402 100644
--- a/lib/application.js
+++ b/lib/application.js
@@ -28,6 +28,7 @@ var deprecate = require('depd')('express');
 var flatten = require('array-flatten');
 var merge = require('utils-merge');
 var resolve = require('path').resolve;
+var setPrototyeOf = require('setprototypeof')
 var slice = Array.prototype.slice;
 
 /**
@@ -94,10 +95,10 @@ app.defaultConfiguration = function defaultConfiguration() {
     }
 
     // inherit protos
-    this.request.__proto__ = parent.request;
-    this.response.__proto__ = parent.response;
-    this.engines.__proto__ = parent.engines;
-    this.settings.__proto__ = parent.settings;
+    setPrototyeOf(this.request, parent.request)
+    setPrototyeOf(this.response, parent.response)
+    setPrototyeOf(this.engines, parent.engines)
+    setPrototyeOf(this.settings, parent.settings)
   });
 
   // setup locals
@@ -227,8 +228,8 @@ app.use = function use(fn) {
     router.use(path, function mounted_app(req, res, next) {
       var orig = req.app;
       fn.handle(req, res, function (err) {
-        req.__proto__ = orig.request;
-        res.__proto__ = orig.response;
+        setPrototyeOf(req, orig.request)
+        setPrototyeOf(res, orig.response)
         next(err);
       });
     });
diff --git a/lib/middleware/init.js b/lib/middleware/init.js
index f3119ed3a1..328c4a863d 100644
--- a/lib/middleware/init.js
+++ b/lib/middleware/init.js
@@ -8,6 +8,13 @@
 
 'use strict';
 
+/**
+ * Module dependencies.
+ * @private
+ */
+
+var setPrototyeOf = require('setprototypeof')
+
 /**
  * Initialization middleware, exposing the
  * request and response to each other, as well
@@ -25,8 +32,8 @@ exports.init = function(app){
     res.req = req;
     req.next = next;
 
-    req.__proto__ = app.request;
-    res.__proto__ = app.response;
+    setPrototyeOf(req, app.request)
+    setPrototyeOf(res, app.response)
 
     res.locals = res.locals || Object.create(null);
 
diff --git a/lib/router/index.js b/lib/router/index.js
index 83ad8b500f..2c4239eba1 100644
--- a/lib/router/index.js
+++ b/lib/router/index.js
@@ -21,6 +21,7 @@ var debug = require('debug')('express:router');
 var deprecate = require('depd')('express');
 var flatten = require('array-flatten');
 var parseUrl = require('parseurl');
+var setPrototypeOf = require('setprototypeof')
 
 /**
  * Module variables.
@@ -47,7 +48,7 @@ var proto = module.exports = function(options) {
   }
 
   // mixin Router class functions
-  router.__proto__ = proto;
+  setPrototypeOf(router, proto)
 
   router.params = {};
   router._params = [];
diff --git a/package.json b/package.json
index 36d83cb966..daa1580b2f 100644
--- a/package.json
+++ b/package.json
@@ -50,6 +50,7 @@
     "range-parser": "~1.2.0",
     "send": "0.14.2",
     "serve-static": "~1.11.2",
+    "setprototypeof": "1.0.3",
     "statuses": "~1.3.1",
     "type-is": "~1.6.14",
     "utils-merge": "1.0.0",