From 90bf1c551d05940898168d04066bbf15060f50cc Mon Sep 17 00:00:00 2001
From: Jon Schlinkert <jon.schlinkert@sellside.com>
Date: Wed, 19 Jun 2019 13:52:45 -0400
Subject: [PATCH] disallow keys

---
 .verb.md     |  6 +++++-
 README.md    | 22 +++++++++++++---------
 index.js     | 17 ++++++++++++-----
 package.json |  6 +++---
 4 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/.verb.md b/.verb.md
index 1985f9a..6ab8a3d 100644
--- a/.verb.md
+++ b/.verb.md
@@ -1,3 +1,7 @@
+## Heads up!
+
+[Please update][update] to version 1.0.1 or later, a critical bug was fixed in that version.
+
 ## Behavior
 
 - This follows the same behavior as [Object.assign()][assign], and thus _does not_ deep clone values.
@@ -40,4 +44,4 @@ console.log(assign(config, locals));
 // }
 ```
 
-[assign]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign
+[assign]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign
\ No newline at end of file
diff --git a/README.md b/README.md
index 73c459d..f9c7614 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# assign-deep [![NPM version](https://img.shields.io/npm/v/assign-deep.svg?style=flat)](https://www.npmjs.com/package/assign-deep) [![NPM monthly downloads](https://img.shields.io/npm/dm/assign-deep.svg?style=flat)](https://npmjs.org/package/assign-deep) [![NPM total downloads](https://img.shields.io/npm/dt/assign-deep.svg?style=flat)](https://npmjs.org/package/assign-deep) [![Linux Build Status](https://img.shields.io/travis/jonschlinkert/assign-deep.svg?style=flat&label=Travis)](https://travis-ci.org/jonschlinkert/assign-deep)
+# assign-deep [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=W8YFZ425KND68) [![NPM version](https://img.shields.io/npm/v/assign-deep.svg?style=flat)](https://www.npmjs.com/package/assign-deep) [![NPM monthly downloads](https://img.shields.io/npm/dm/assign-deep.svg?style=flat)](https://npmjs.org/package/assign-deep) [![NPM total downloads](https://img.shields.io/npm/dt/assign-deep.svg?style=flat)](https://npmjs.org/package/assign-deep) [![Linux Build Status](https://img.shields.io/travis/jonschlinkert/assign-deep.svg?style=flat&label=Travis)](https://travis-ci.org/jonschlinkert/assign-deep)
 
 > Deeply assign the values of all enumerable-own-properties and symbols from one or more source objects to a target object. Returns the target object.
 
@@ -12,6 +12,10 @@ Install with [npm](https://www.npmjs.com/):
 $ npm install --save assign-deep
 ```
 
+## Heads up!
+
+[Please update](https://github.com/update/update) to version 1.0.1 or later, a critical bug was fixed in that version.
+
 ## Behavior
 
 * This follows the same behavior as [Object.assign()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign), and thus _does not_ deep clone values.
@@ -91,31 +95,31 @@ $ npm install -g verbose/verb#dev verb-generate-readme && verb
 
 You might also be interested in these projects:
 
-* [assign-symbols](https://www.npmjs.com/package/assign-symbols): Assign the enumerable es6 Symbol properties from an object (or objects) to the first object… [more](https://github.com/jonschlinkert/assign-symbols) | [homepage](https://github.com/jonschlinkert/assign-symbols "Assign the enumerable es6 Symbol properties from an object (or objects) to the first object passed on the arguments. Can be used as a supplement to other extend, assign or merge methods as a polyfill for the Symbols part of the es6 Object.assign method.")
+* [assign-symbols](https://www.npmjs.com/package/assign-symbols): Assign the enumerable es6 Symbol properties from one or more objects to the first object… [more](https://github.com/jonschlinkert/assign-symbols) | [homepage](https://github.com/jonschlinkert/assign-symbols "Assign the enumerable es6 Symbol properties from one or more objects to the first object passed on the arguments. Can be used as a supplement to other extend, assign or merge methods as a polyfill for the Symbols part of the es6 Object.assign method.")
 * [extend-shallow](https://www.npmjs.com/package/extend-shallow): Extend an object with the properties of additional objects. node.js/javascript util. | [homepage](https://github.com/jonschlinkert/extend-shallow "Extend an object with the properties of additional objects. node.js/javascript util.")
 * [merge-deep](https://www.npmjs.com/package/merge-deep): Recursively merge values in a javascript object. | [homepage](https://github.com/jonschlinkert/merge-deep "Recursively merge values in a javascript object.")
 * [mixin-deep](https://www.npmjs.com/package/mixin-deep): Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone… [more](https://github.com/jonschlinkert/mixin-deep) | [homepage](https://github.com/jonschlinkert/mixin-deep "Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone. No dependencies.")
 
 ### Contributors
 
-| **Commits** | **Contributor** | 
-| --- | --- |
-| 27 | [jonschlinkert](https://github.com/jonschlinkert) |
-| 14 | [doowb](https://github.com/doowb) |
+| **Commits** | **Contributor** |  
+| --- | --- |  
+| 31 | [jonschlinkert](https://github.com/jonschlinkert) |  
+| 14 | [doowb](https://github.com/doowb) |  
 
 ### Author
 
 **Jon Schlinkert**
 
-* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)
 * [GitHub Profile](https://github.com/jonschlinkert)
 * [Twitter Profile](https://twitter.com/jonschlinkert)
+* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)
 
 ### License
 
-Copyright © 2018, [Jon Schlinkert](https://github.com/jonschlinkert).
+Copyright © 2019, [Jon Schlinkert](https://github.com/jonschlinkert).
 Released under the [MIT License](LICENSE).
 
 ***
 
-_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.6.0, on August 07, 2018._
\ No newline at end of file
+_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.8.0, on June 19, 2019._
\ No newline at end of file
diff --git a/index.js b/index.js
index f298e3f..02cd776 100644
--- a/index.js
+++ b/index.js
@@ -7,8 +7,13 @@
 
 'use strict';
 
-const assignSymbols = require('assign-symbols');
 const toString = Object.prototype.toString;
+const assignSymbols = require('assign-symbols');
+
+const isValidKey = key => {
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+};
+
 const assign = module.exports = (target, ...args) => {
   let i = 0;
   if (isPrimitive(target)) target = args[i++];
@@ -16,10 +21,12 @@ const assign = module.exports = (target, ...args) => {
   for (; i < args.length; i++) {
     if (isObject(args[i])) {
       for (const key of Object.keys(args[i])) {
-        if (isObject(target[key]) && isObject(args[i][key])) {
-          assign(target[key], args[i][key]);
-        } else {
-          target[key] = args[i][key];
+        if (isValidKey(key)) {
+          if (isObject(target[key]) && isObject(args[i][key])) {
+            assign(target[key], args[i][key]);
+          } else {
+            target[key] = args[i][key];
+          }
         }
       }
       assignSymbols(target, args[i]);
diff --git a/package.json b/package.json
index 35d6533..122e3a2 100644
--- a/package.json
+++ b/package.json
@@ -27,8 +27,8 @@
     "assign-symbols": "^2.0.2"
   },
   "devDependencies": {
-    "gulp-format-md": "^1.0.0",
-    "mocha": "^5.2.0"
+    "gulp-format-md": "^2.0.0",
+    "mocha": "^6.1.4"
   },
   "keywords": [
     "assign",
@@ -70,4 +70,4 @@
       "reflinks": true
     }
   }
-}
+}
\ No newline at end of file