fix(commons): skip prototype-polluting keys in _.merge

[marshallswain]

Summary

The recursive _.merge helper in @feathersjs/commons iterates Object.keys(source). When the source came from JSON.parse('{"__proto__":...}'), __proto__ is returned as an own-enumerable key, so the recursive call resolves target['__proto__'] to Object.prototype and writes onto it.

This adds the standard guard to skip __proto__, constructor, and prototype keys during iteration.

Changes

• src/index.ts: skip the three prototype-mutating keys in the merge loop.
• test/utils.test.ts: regression test confirming a JSON-parsed __proto__/constructor.prototype source no longer mutates Object.prototype, fresh objects, or the target.

Notes

• No public API change — merge still works for all documented input shapes.
• Reported by Andrew Ridings (@ridingsa). Reimplemented here as a maintainer commit (supersedes fix(commons): skip __proto__ / constructor / prototype keys in _.merge #3687) so the change lands under a reviewed, verified commit.

Reported-by: Andrew Ridings (@ridingsa)

[tjenkinson]

Maybe a better alternative is https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/defineProperty as this will never touch the prototype? Then we wouldn't need to add the exclusions?

Unlike accessor properties, data properties are always set on the object itself, not on a prototype. However, if a non-writable data property is inherited, it is still prevented from being modified on the object.

https://claude.ai/share/609aae22-2720-40e6-8479-04e023e37776

Cc @ridingsa

WDYT?