disallow constructor and prototype keys

jonschlinkert · jonschlinkert · commit 8f464c8ce976 · 2019-06-19T13:47:01.000-04:00
diff --git a/.travis.yml b/.travis.yml
@@ -10,5 +10,3 @@ node_js:
   - '8'
   - '7'
   - '6'
-  - '5'
-  - '4'
diff --git a/.verb.md b/.verb.md
@@ -1,3 +1,7 @@
+## Heads up!
+
+[Please update][update] to version 2.0.1 or later, a critical bug was fixed in that version.
+
 ## Usage
 
 ```js
@@ -6,3 +10,6 @@ const res = mixin({ a: { foo: true } }, { a: { bar: true } }, { a: { baz: true }
 console.log(res);
 //=> { a: { foo: true, bar: true, baz: true } }
 ```
+
+
+[update]: https://gist.github.com/jonschlinkert/9a62534c4f8bc76aee6058caa3f05fd6
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# mixin-deep [![NPM version](https://img.shields.io/npm/v/mixin-deep.svg?style=flat)](https://www.npmjs.com/package/mixin-deep) [![NPM monthly downloads](https://img.shields.io/npm/dm/mixin-deep.svg?style=flat)](https://npmjs.org/package/mixin-deep) [![NPM total downloads](https://img.shields.io/npm/dt/mixin-deep.svg?style=flat)](https://npmjs.org/package/mixin-deep) [![Linux Build Status](https://img.shields.io/travis/jonschlinkert/mixin-deep.svg?style=flat&label=Travis)](https://travis-ci.org/jonschlinkert/mixin-deep)
+# mixin-deep [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=W8YFZ425KND68) [![NPM version](https://img.shields.io/npm/v/mixin-deep.svg?style=flat)](https://www.npmjs.com/package/mixin-deep) [![NPM monthly downloads](https://img.shields.io/npm/dm/mixin-deep.svg?style=flat)](https://npmjs.org/package/mixin-deep) [![NPM total downloads](https://img.shields.io/npm/dt/mixin-deep.svg?style=flat)](https://npmjs.org/package/mixin-deep) [![Linux Build Status](https://img.shields.io/travis/jonschlinkert/mixin-deep.svg?style=flat&label=Travis)](https://travis-ci.org/jonschlinkert/mixin-deep)
 
 > Deeply mix the properties of objects into the first object. Like merge-deep, but doesn't clone. No dependencies.
 
@@ -12,6 +12,10 @@ Install with [npm](https://www.npmjs.com/):
 $ npm install --save mixin-deep
 ```
 
+## Heads up!
+
+[Please update](https://gist.github.com/jonschlinkert/9a62534c4f8bc76aee6058caa3f05fd6) to version 2.0.1 or later, a critical bug was fixed in that version.
+
 ## Usage
 
 ```js
@@ -65,24 +69,24 @@ You might also be interested in these projects:
 
 ### Contributors
 
-| **Commits** | **Contributor** | 
-| --- | --- |
-| 26 | [jonschlinkert](https://github.com/jonschlinkert) |
-| 2 | [doowb](https://github.com/doowb) |
+| **Commits** | **Contributor** |  
+| --- | --- |  
+| 28 | [jonschlinkert](https://github.com/jonschlinkert) |  
+| 2  | [doowb](https://github.com/doowb) |  
 
 ### Author
 
 **Jon Schlinkert**
 
-* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)
 * [GitHub Profile](https://github.com/jonschlinkert)
 * [Twitter Profile](https://twitter.com/jonschlinkert)
+* [LinkedIn Profile](https://linkedin.com/in/jonschlinkert)
 
 ### License
 
-Copyright © 2018, [Jon Schlinkert](https://github.com/jonschlinkert).
+Copyright © 2019, [Jon Schlinkert](https://github.com/jonschlinkert).
 Released under the [MIT License](LICENSE).
 
 ***
 
-_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.6.0, on July 11, 2018._
+_This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.8.0, on June 19, 2019._
diff --git a/index.js b/index.js
@@ -1,17 +1,25 @@
 'use strict';
 
-function mixinDeep(target, ...rest) {
+const isObject = val => {
+  return typeof val === 'function' || (typeof val === 'object' && val !== null && !Array.isArray(val));
+};
+
+const isValidKey = key => {
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+};
+
+const mixinDeep = (target, ...rest) => {
   for (let obj of rest) {
     if (isObject(obj)) {
       for (let key in obj) {
-        if (key !== '__proto__') {
+        if (isValidKey(key)) {
           mixin(target, obj[key], key);
         }
       }
     }
   }
   return target;
-}
+};
 
 function mixin(target, val, key) {
   let obj = target[key];
@@ -22,10 +30,6 @@ function mixin(target, val, key) {
   }
 }
 
-function isObject(val) {
-  return typeof val === 'function' || (typeof val === 'object' && val !== null && !Array.isArray(val));
-}
-
 /**
  * Expose mixinDeep
  * @type {Function}
diff --git a/package.json b/package.json
@@ -14,16 +14,17 @@
   ],
   "main": "index.js",
   "engines": {
-    "node": ">=4"
+    "node": ">=6"
   },
   "scripts": {
     "test": "mocha"
   },
   "devDependencies": {
-    "gulp-format-md": "^1.0.0",
-    "mocha": "^5.2.0"
+    "gulp-format-md": "^2.0.0",
+    "mocha": "^6.1.4"
   },
   "keywords": [
+    "assign",
     "deep",
     "extend",
     "key",

-Original file line number
+Diff line change
   - '8'
   - '7'
   - '6'
 -  - '5'
 -  - '4'