projects / gamesguru / tg-svelte-kit.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 096e433)
fix: use hasOwn check when deep-setting object properties (#15127)
authorRich Harris <richard.a.harris@gmail.com>
Mon, 5 Jan 2026 16:21:43 +0000 (16:21 +0000)
committerGitHub <noreply@github.com>
Mon, 5 Jan 2026 16:21:43 +0000 (16:21 +0000)
.changeset/solid-apples-clap.md [new file with mode: 0644] patch | blob
packages/kit/src/runtime/form-utils.js patch | blob | history
packages/kit/src/runtime/form-utils.spec.js patch | blob | history

diff --git a/.changeset/solid-apples-clap.md b/.changeset/solid-apples-clap.md
new file mode 100644 (file)
index 0000000..8691d70
--- /dev/null
+++ b/.changeset/solid-apples-clap.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: use hasOwn check when deep-setting object properties
diff --git a/packages/kit/src/runtime/form-utils.js b/packages/kit/src/runtime/form-utils.js
index 78554b4e058b34972391e895c3a5efd85f7cfe12..7616af3b3ee22b8c196e6e4214555d291f6df166 100644 (file)
--- a/packages/kit/src/runtime/form-utils.js
+++ b/packages/kit/src/runtime/form-utils.js
@@ -441,7 +441,7 @@ export function deep_set(object, keys, value) {
                check_prototype_pollution(key);
 
                const is_array = /^\d+$/.test(keys[i + 1]);
-               const exists = key in current;
+               const exists = Object.hasOwn(current, key);
                const inner = current[key];
 
                if (exists && is_array !== Array.isArray(inner)) {
diff --git a/packages/kit/src/runtime/form-utils.spec.js b/packages/kit/src/runtime/form-utils.spec.js
index 96b153c4a3b76ece8e8d2317a1606eb30a0d1e9a..2da47208fe7216957b721a848b1df6e033e17ecd 100644 (file)
--- a/packages/kit/src/runtime/form-utils.spec.js
+++ b/packages/kit/src/runtime/form-utils.spec.js
@@ -2,6 +2,7 @@ import { beforeAll, describe, expect, test } from 'vitest';
 import {
        BINARY_FORM_CONTENT_TYPE,
        convert_formdata,
+       deep_set,
        deserialize_binary_form,
        serialize_binary_form,
        split_path
@@ -243,3 +244,16 @@ describe('binary form serializer', () => {
                expect(res.data).toEqual({ a: 1 });
        });
 });
+
+describe('deep_set', () => {
+       test('always creates own property', () => {
+               const target = {};
+
+               deep_set(target, ['toString', 'property'], 'hello');
+
+               // @ts-ignore
+               expect(target.toString.property).toBe('hello');
+               // @ts-ignore
+               expect(Object.prototype.toString.property).toBeUndefined();
+       });
+});
Unnamed repository; edit this file 'description' to name the repository.