It's possible to pollute object prototype

[bebraw]

Consider the following test:

it("should not pollute __proto__", function () {
    const obj = { tmp: "" };

    // @ts-ignore: Pollute __proto__ on purpose
    merge(obj, (obj.__proto__.polluted = "Proto has been polluted"));

    const obj_new = [];

    // @ts-ignore: Pollute __proto__ on purpose
    expect(obj_new.polluted).toEqual(undefined);
});

The problem is, if there's a block like (obj.__proto__.polluted = "Proto has been polluted"), it's polluting the original obj.

I tried fixing it in various ways but it doesn't seem fixable and even with a no-op (i.e. return object), it's still polluted.

It would be great if someone could point out a way to fix the issue. Any sort of serialization is out of the window since you can merge objects with functions.

You can run the test at https://github.com/survivejs/webpack-merge/tree/fix/do-not-pollute .

Thanks to Daniel Elkabes from WhiteSource Software for pointing out the issue.

[bebraw]

Based on Daniel fixing the issue is out of scope of this package after all so I'm closing this as wontfix as there's nothing to fix.