From 7de58ca0d315990cdb38234e97fc66254cdbcd71 Mon Sep 17 00:00:00 2001
From: bcoe <bencoe@google.com>
Date: Mon, 30 Nov 2020 15:30:38 -0800
Subject: [PATCH] fix: address prototype pollution issue

---
 index.js          |  2 +-
 package.json      |  2 +-
 test/y18n-test.js | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index d7206816..727362aa 100644
--- a/index.js
+++ b/index.js
@@ -11,7 +11,7 @@ function Y18N (opts) {
   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
 
   // internal stuff.
-  this.cache = {}
+  this.cache = Object.create(null)
   this.writeQueue = []
 }
 
diff --git a/package.json b/package.json
index f44d52d3..2050c9e6 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "y18n",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "description": "the bare-bones internationalization library used by yargs",
   "main": "index.js",
   "scripts": {
diff --git a/test/y18n-test.js b/test/y18n-test.js
index 2ef27377..b542fe94 100644
--- a/test/y18n-test.js
+++ b/test/y18n-test.js
@@ -352,6 +352,24 @@ describe('y18n', function () {
     })
   })
 
+  // See: https://github.com/yargs/y18n/issues/96,
+  // https://github.com/yargs/y18n/pull/107
+  describe('prototype pollution', () => {
+    it('does not pollute prototype, with __proto__ locale', () => {
+      const y = y18n()
+      y.setLocale('__proto__')
+      y.updateLocale({ polluted: '👽' })
+      y.__('polluted').should.equal('👽')
+      ;(typeof polluted).should.equal('undefined')
+    })
+
+    it('does not pollute prototype, when __ is used with __proto__ locale', () => {
+      const __ = y18n({ locale: '__proto__' }).__
+      __('hello')
+      ;(typeof {}.hello).should.equal('undefined')
+    })
+  })
+
   after(function () {
     rimraf.sync('./test/locales/fr.json')
   })