fix: ignore inherited enumerable properties

pi0 · pi0 · commit 11ba02213d4b · 2026-04-01T18:25:41.000+02:00
harden object merging against prototype-derived keys
diff --git a/src/defu.ts b/src/defu.ts
@@ -9,12 +9,12 @@ function _defu<T>(baseObject: T, defaults: any, namespace = ".", merger?: Merger
 
   const object = { ...defaults };
 
-  for (const key in baseObject) {
+  for (const key of Object.keys(baseObject as Record<string, any>)) {
     if (key === "__proto__" || key === "constructor") {
       continue;
     }
 
-    const value = baseObject[key];
+    const value = (baseObject as Record<string, any>)[key];
 
     if (value === null || value === undefined) {
       continue;
diff --git a/test/defu.test.ts b/test/defu.test.ts
@@ -116,6 +116,25 @@ describe("defu", () => {
     expect({}.isAdmin).toBe(undefined);
   });
 
+  it("should ignore inherited enumerable properties", () => {
+    Object.defineProperty(Object.prototype, "pollutedEnum", {
+      value: 123,
+      enumerable: true,
+      configurable: true,
+      writable: true,
+    });
+
+    try {
+      const result = defu({ nested: {} }, { nested: {} });
+
+      expect(result).toEqual({ nested: {} });
+      expect(Object.keys(result)).toEqual(["nested"]);
+      expect(Object.keys(result.nested)).toEqual([]);
+    } finally {
+      delete (Object.prototype as Record<string, unknown>)["pollutedEnum"];
+    }
+  });
+
   it("should ignore non-object arguments", () => {
     expect(defu(null, { foo: 1 }, false, 123, { bar: 2 })).toEqual({
       foo: 1,
