Skip to content

Use Object.create(null) over {} to avoid prototype issues#4634

Merged
yaacovCR merged 2 commits into17.x.xfrom
obj-create-null-17
Apr 16, 2026
Merged

Use Object.create(null) over {} to avoid prototype issues#4634
yaacovCR merged 2 commits into17.x.xfrom
obj-create-null-17

Conversation

@benjie
Copy link
Copy Markdown
Member

@benjie benjie commented Mar 24, 2026
edited by yaacovCR
Loading

Forward-port of #4631. Description from #4631 on v16

Object.create(null) is generally safer since it is not vulnerable to prototype pollution in user code. To avoid breaking changes I've returned { ...obj } thus ensuring that the returned object still has the default Object prototype.

But this PR skips that latter portion, return obj rather than { ...obj }, a BREAKING CHANGE for v17 that improves performance, compare obj-create-null-17 vs restore-prototype

image

@vercel
Copy link
Copy Markdown

vercel bot commented Mar 24, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
graphql-js Ignored Ignored Preview Apr 16, 2026 11:22am

Request Review

@benjie benjie requested a review from yaacovCR March 24, 2026 16:01
yaacovCR
yaacovCR reviewed Mar 25, 2026
View reviewed changes
Comment thread src/execution/values.ts Outdated
yaacovCR
yaacovCR reviewed Mar 25, 2026
View reviewed changes
Comment thread src/utilities/coerceInputValue.ts Outdated
@yaacovCR yaacovCR mentioned this pull request Apr 13, 2026
Merged
@abishekgiri abishekgiri mentioned this pull request Apr 13, 2026
Open
17 tasks
yaacovCR
yaacovCR previously requested changes Apr 16, 2026
View reviewed changes
Comment thread src/execution/values.ts Outdated
Comment thread src/utilities/coerceInputValue.ts Outdated
@yaacovCR yaacovCR added the PR: breaking change 💥 implementation requires increase of "major" version number label Apr 16, 2026
@yaacovCR yaacovCR force-pushed the obj-create-null-17 branch from 315e52e to 3ee6c94 Compare April 16, 2026 11:22
@yaacovCR yaacovCR merged commit e09f7da into 17.x.x Apr 16, 2026
42 checks passed
@yaacovCR yaacovCR deleted the obj-create-null-17 branch April 16, 2026 11:51
yaacovCR pushed a commit that referenced this pull request Apr 18, 2026
@abishekgiri
fix: avoid prototype-colliding names in execution values (#4653)
afbe436 
completes conversion of execution values to use of prototype-less objects begun in #4634

= adds tests for the new behavior
= fixes out-of-date comments
= small type-change
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaacovCR yaacovCR yaacovCR left review comments

Assignees

No one assigned

Labels

PR: breaking change 💥 implementation requires increase of "major" version number

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@benjie @yaacovCR