fix(shared): prevent prototype pollution in fastDeepMerge utilities

[jacekradko]

Summary

• Add safeguards to fastDeepMergeAndReplace and fastDeepMergeAndKeep to skip dangerous keys (__proto__, constructor, prototype) during object merging
• Add comprehensive tests for prototype pollution prevention

This fixes a security vulnerability (SEC-252) where malicious input passed through appearance configurations or localization settings could modify Object.prototype, potentially causing denial of service or application manipulation.

Test plan

• Added 8 new unit tests covering prototype pollution prevention scenarios
• All existing tests continue to pass
• Verified fix blocks __proto__, constructor, and prototype keys
• Verified safe keys still merge correctly

Summary by CodeRabbit

Bug Fixes

• Implemented security protections in the deep merge utility to prevent prototype pollution attacks.

Tests

• Added comprehensive test coverage for prototype pollution prevention scenarios, including edge cases and cleanup validation.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: d02fcc1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jan 20, 2026 0:58am

[coderabbitai]

📝 Walkthrough

Walkthrough

This change addresses a prototype pollution vulnerability in the fastDeepMergeAndReplace and fastDeepMergeAndKeep utility functions. A private constant DANGEROUS_KEYS containing __proto__, constructor, and prototype was introduced. Both functions now skip these keys during object iteration, preventing modification of Object.prototype and related unsafe properties. Corresponding test coverage was added to verify the vulnerability is mitigated across various prototype pollution scenarios, including nested cases. No changes to public API signatures were made.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fix: preventing prototype pollution in fastDeepMerge utilities by skipping dangerous keys.
Linked Issues check	✅ Passed	The PR successfully addresses SEC-252 by adding safeguards to skip dangerous keys (proto, constructor, prototype) in both fastDeepMergeAndReplace and fastDeepMergeAndKeep, plus comprehensive tests.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the prototype pollution vulnerability: implementation guards in fastDeepMerge.ts and comprehensive test coverage in the spec file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7621

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7621

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7621

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7621

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7621

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7621

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7621

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7621

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7621

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7621

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7621

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7621

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7621

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7621

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7621

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7621

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7621

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7621

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7621

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7621

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7621

commit: d02fcc1