Skip to content

chore(deps): update dependency defu to v6.1.5 [security] - abandoned#613

Open
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/npm-defu-vulnerability
Open

chore(deps): update dependency defu to v6.1.5 [security] - abandoned#613
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/npm-defu-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 4, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
defu 6.1.46.1.5 age confidence

GitHub Vulnerability Alerts

CVE-2026-35209

Impact

Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to defu() are vulnerable to prototype pollution.

A crafted payload containing a __proto__ key can override intended default values in the merged result:

import { defu } from 'defu'

const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}')
const config = defu(userInput, { isAdmin: false })

config.isAdmin // true — attacker overrides the server default

Root Cause

The internal _defu function used Object.assign({}, defaults) to copy the defaults object. Object.assign invokes the __proto__ setter, which replaces the resulting object's [[Prototype]] with attacker-controlled values. Properties inherited from the polluted prototype then bypass the existing __proto__ key guard in the for...in loop and land in the final result.

Fix

Replace Object.assign({}, defaults) with object spread ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the __proto__ setter.

Affected Versions

<= 6.1.4

Credits

Reported by @​BlackHatExploitation


Release Notes

unjs/defu (defu)

v6.1.5

Compare Source

compare changes

🩹 Fixes
  • Prevent prototype pollution via __proto__ in defaults (#​156)
  • Ignore inherited enumerable properties (11ba022)
🏡 Chore
✅ Tests
  • Add more tests for plain objects (b65f603)
🤖 CI
❤️ Contributors

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


Note

Low Risk
Low risk dependency bump; behavior should be unchanged aside from security hardening in defu’s merge logic. Main risk is unexpected merge/edge-case differences where defu is used for config/env merging.

Overview
Updates the defu dependency used across workspace packages (and the lockfile) to a patched release that mitigates prototype-pollution via __proto__ during object merging.

No application logic changes are introduced beyond consuming the updated defu version.

Reviewed by Cursor Bugbot for commit 5354f8f. Bugbot is set up for automated code reviews on this repo. Configure here.

@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Apr 4, 2026
@renovate

renovate Bot commented Apr 4, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate Bot changed the title chore(deps): update dependency defu to v6.1.5 [security] chore(deps): update dependency defu to v6.1.5 [security] - abandoned Apr 10, 2026
@renovate

renovate Bot commented Apr 10, 2026

Copy link
Copy Markdown
Contributor Author

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants