fix: use null prototype objects internally to prevent crashes#85
fix: use null prototype objects internally to prevent crashes#85abhu85 wants to merge 1 commit intominimistjs:mainfrom
Conversation
This prevents TypeError when parsing options named after Object
prototype methods (--toString, --hasOwnProperty, --valueOf, etc).
The crash occurred because internal lookup objects like `aliases`
inherited from Object.prototype, causing `aliases['toString']`
to return the inherited function instead of undefined.
By using `{ __proto__: null }` for internal objects (`aliases`,
`flags.bools`, `flags.strings`), we ensure that only explicitly
set keys exist on these objects.
Fixes minimistjs#47
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Is this PR entirely AI/LLM generated? |
|
Interesting. I was thinking would need changes to |
|
@abhu85 Please turn on the checkbox for "Allow edits and access to secrets by maintainers" on your Pull Request. This is helpful for this repo, and is failing the workflow check: https://github.com/ljharb/require-allow-edits |
|
Enabled maintainer edits. The workflow check should pass now. |
Enabled maintainer edits. The workflow check has passed now, please review |
|
I am able to run node 0.8 and see literal null prototype However, ChatGPT suggests 0.8 might be the oldest version that the syntax is supported due to when the support landed in V8. It says @ljharb does this sound a possible issue with early version support to dig into further, or are you confident literal null prototype works in 0.4 and 0.6? |
|
ChatGPT is very wrong; there has never been a node version that lacked the syntax support (the oldest I have installed atm is 0.5, and that has it as well) That said, fully AI-generated PRs shouldn't be contributed to or accepted by open source projects for a number of reasons, but the PR LGTM otherwise. |
|
Thanks for the review and confirming the Node version compatibility @ljharb. I understand and respect your position on AI-generated PRs in open source. If you're not comfortable merging this, please feel free to close it - no hard feelings. The fix is straightforward enough that a maintainer could implement it directly if/when desired. Appreciate your time reviewing this. |
$ node -e "console.log(require('minimist')(['--toString']))"
{ _: [], toString: [ [Function: toString], true ] }This shows that minimist is not crashing (good), but not returning a sensible result (bad). That The direct cause is the variable tracking the result still has a prototype, which you can see by inserting a trace statement: just before this line in Line 114 in ecfdaea so minimist decides it is adding to an existing value and creates an array. |
Summary
Fixes #47
This PR prevents
TypeErrorwhen parsing options named after Object prototype methods (--toString,--hasOwnProperty,--valueOf, etc).Before this fix:
After this fix:
Root Cause
The crash occurred because internal lookup objects like
aliasesinherited fromObject.prototype, causingaliases['toString']to return the inherited function instead ofundefined. When the code tried to call.forEach()on this function (after the|| []fallback didn't apply), it threw.Solution
Following @ljharb's suggestion in #47, this PR uses
{ __proto__: null }for internal objects:aliasesflags.boolsflags.stringsThis ensures only explicitly set keys exist on these objects, preventing any interaction with inherited prototype methods.
Changes
{ __proto__: null }foraliases,flags.bools, andflags.stringsTest Plan
--toString,--hasOwnProperty,--valueOf, etc.