fix: group prototype-named keys safely#3855
Conversation
✅ Deploy Preview for fakerjs ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## next #3855 +/- ##
=======================================
Coverage 98.91% 98.91%
=======================================
Files 905 905
Lines 3146 3148 +2
Branches 581 581
=======================================
+ Hits 3112 3114 +2
Misses 30 30
Partials 4 4
🚀 New features to boost your workflow:
|
ST-DDT
added
c: bug
There was a problem hiding this comment.
Pull request overview
This PR updates the internal groupBy helper to safely handle prototype-named keys (e.g. __proto__) by accumulating groups in a Map, and adds a regression test to ensure those keys are treated as ordinary group names.
Changes:
- Switched
groupBy’s internal accumulator from a plain object to aMapto avoid special-case prototype keys during grouping. - Converted grouped
Mapentries back into the existingRecord<string, …>return shape viaObject.fromEntries. - Added a regression test covering grouping under
__proto__.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/internal/group-by.ts |
Uses a Map for safe bucket accumulation and converts back to an object on return. |
test/internal/group-by.spec.ts |
Adds regression coverage for grouping under prototype property names. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const result = new Map<string | number, TMappedValue[]>(); | ||
|
|
||
| for (const value of values) { | ||
| const key = keyMapper(value); | ||
| if (result[key] === undefined) { | ||
| result[key] = []; | ||
| let group = result.get(key); | ||
| if (group === undefined) { | ||
| group = []; | ||
| result.set(key, group); | ||
| } |
| (value) => value | ||
| ); | ||
|
|
||
| expect(result.__proto__).toEqual(['first', 'second']); |
ST-DDT
left a comment
ST-DDT
left a comment
There was a problem hiding this comment.
I'm not sure, whether I would want anyone to use __proto__ as a key.
Do you have a need for that?
What do the others think?
ST-DDT
added
s: awaiting more info
xDivisionByZerox
left a comment
xDivisionByZerox
left a comment
There was a problem hiding this comment.
The method groupBy is an internal method that mimics the API of the official Object#groupBy function. We cannot use the native function due to it requiring at least Node v21 - we currently still support Node v20.
While you are correct that Object#groupBy does support the use case you are adding, I do not see any reason for us to add it to our code base as of right now. groupBy is [only used in 3 different places](https://github.com/search?q=repo%3Afaker-js%2Ffaker%20groupBy(&type=code) and none of those require safe prototype name grouping:
faker/scripts/apidocs/processing/method.ts
Line 101 in 8b4e2b1
faker/scripts/apidocs/output/page-index.ts
Lines 18 to 22 in 8b4e2b1
Furthermore, only the last of these cases is actually used during the runtime of Faker and it clearly maps a numeric value to the object keys - so no prototype names.
Because of the stated reasons, I would decline this PR.
Summary
Tests