From 971f09abe486185247e1faf4e8d1419ba2506b8d Mon Sep 17 00:00:00 2001
From: Luca Casonato <hello@lcas.dev>
Date: Thu, 23 May 2024 00:03:35 +0200
Subject: fix(runtime): use more null proto objects (#23921)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is a primordialization effort to improve resistance against users
tampering with the global `Object` prototype.

---------

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
---
 cli/js/40_jupyter.js | 4 ++--
 cli/js/40_test.js    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'cli')

diff --git a/cli/js/40_jupyter.js b/cli/js/40_jupyter.js
index 9fab1c414..0e0a4d7ac 100644
--- a/cli/js/40_jupyter.js
+++ b/cli/js/40_jupyter.js
@@ -342,7 +342,7 @@ function enableJupyter() {
   async function broadcast(
     msgType,
     content,
-    { metadata = {}, buffers = [] } = {},
+    { metadata = { __proto__: null }, buffers = [] } = { __proto__: null },
   ) {
     await op_jupyter_broadcast(msgType, content, metadata, buffers);
   }
@@ -400,7 +400,7 @@ function enableJupyter() {
     if (options.update) {
       messageType = "update_display_data";
     }
-    let transient = {};
+    let transient = { __proto__: null };
     if (options.display_id) {
       transient = { display_id: options.display_id };
     }
diff --git a/cli/js/40_test.js b/cli/js/40_test.js
index d93228940..2877bfa9b 100644
--- a/cli/js/40_test.js
+++ b/cli/js/40_test.js
@@ -196,7 +196,7 @@ function testInner(
   nameOrFnOrOptions,
   optionsOrFn,
   maybeFn,
-  overrides = {},
+  overrides = { __proto__: null },
 ) {
   // No-op if we're not running in `deno test` subcommand.
   if (typeof op_register_test !== "function") {
-- 
cgit v1.2.3