From 70aa6044f5a762c9738eaf24d9667189cd78b611 Mon Sep 17 00:00:00 2001
From: kricsleo <kricsleo@163.com>
Date: Wed, 1 Apr 2026 22:41:30 +0800
Subject: [PATCH] fix: avoids prototype pollution

---
 src/defu.ts       | 2 +-
 test/defu.test.ts | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/defu.ts b/src/defu.ts
index 271c0231..ebcb59d5 100644
--- a/src/defu.ts
+++ b/src/defu.ts
@@ -12,7 +12,7 @@ function _defu<T>(
     return _defu(baseObject, {}, namespace, merger);
   }
 
-  const object = Object.assign({}, defaults);
+  const object = { ...defaults };
 
   for (const key in baseObject) {
     if (key === "__proto__" || key === "constructor") {
diff --git a/test/defu.test.ts b/test/defu.test.ts
index c2f16007..8df223f2 100644
--- a/test/defu.test.ts
+++ b/test/defu.test.ts
@@ -110,6 +110,12 @@ describe("defu", () => {
     defu({}, payload);
     defu(payload, {});
     defu(payload, payload);
+
+    const malicious = JSON.parse('{"__proto__":{"isAdmin":true}}');
+    const result = defu(malicious, { isAdmin: false });
+
+    expect(result.isAdmin).toBe(false);
+
     // @ts-ignore
     expect({}.isAdmin).toBe(undefined);
   });