Move from '{}' to 'Object.create(null)' in more places (#2877)

benjie · web-flow · commit bf6a21475e50 · 2026-01-07T16:35:14.000Z
diff --git a/.changeset/cozy-coats-serve.md b/.changeset/cozy-coats-serve.md
@@ -0,0 +1,12 @@
+---
+"graphile-build-pg": patch
+"graphile-build": patch
+"graphile-utils": patch
+"postgraphile": patch
+"ruru-components": patch
+"graphile-export": patch
+"@dataplan/pg": patch
+"grafast": patch
+---
+
+Safety - use null prototype objects in more places.
diff --git a/grafast/bench/src/index.ts b/grafast/bench/src/index.ts
@@ -65,7 +65,7 @@ export async function bench(
         );
         const variableValues = variableValuesMatch
           ? JSON5.parse(variableValuesMatch[1])
-          : {};
+          : Object.create(null);
         const checkForErrors = (
           result: ExecutionResult | ExecutionPatchResult,
         ) => {
diff --git a/grafast/grafast/src/makeGrafastSchema.ts b/grafast/grafast/src/makeGrafastSchema.ts
@@ -299,7 +299,7 @@ export function makeGrafastSchema(details: GrafastSchemaConfig): GraphQLSchema {
   } else {
     // Hackily convert the new format into the old format. We'll do away with
     // this in future, but for now it's the easiest way to ensure compatibility
-    plans = {};
+    plans = Object.create(null);
 
     const assertLocation = <
       TExpected extends
@@ -357,7 +357,7 @@ export function makeGrafastSchema(details: GrafastSchemaConfig): GraphQLSchema {
     };
     for (const [typeName, spec] of Object.entries(objects ?? {})) {
       const t = assertLocation(typeName, "objects");
-      const o = {} as Record<string, any>;
+      const o = Object.create(null) as Record<string, any>;
       plans[typeName] = o as any;
 
       const { plans: planResolvers = {}, ...rest } = spec;
@@ -374,7 +374,7 @@ export function makeGrafastSchema(details: GrafastSchemaConfig): GraphQLSchema {
 
     for (const [typeName, spec] of Object.entries(inputObjects ?? {})) {
       const t = assertLocation(typeName, "inputObjects");
-      const o = {} as Record<string, any>;
+      const o = Object.create(null) as Record<string, any>;
       plans[typeName] = o as any;
 
       const { plans: planResolvers = {}, ...rest } = spec;
@@ -393,7 +393,7 @@ export function makeGrafastSchema(details: GrafastSchemaConfig): GraphQLSchema {
 
     for (const [typeName, spec] of Object.entries(unions ?? {})) {
       assertLocation(typeName, "unions");
-      const o = {} as Record<string, any>;
+      const o = Object.create(null) as Record<string, any>;
       plans[typeName] = o as any;
 
       for (const [key, val] of Object.entries(spec)) {
@@ -403,7 +403,7 @@ export function makeGrafastSchema(details: GrafastSchemaConfig): GraphQLSchema {
 
     for (const [typeName, spec] of Object.entries(interfaces ?? {})) {
       assertLocation(typeName, "interfaces");
-      const o = {} as Record<string, any>;
+      const o = Object.create(null) as Record<string, any>;
       plans[typeName] = o as any;
 
       for (const [key, val] of Object.entries(spec)) {
@@ -418,7 +418,7 @@ export function makeGrafastSchema(details: GrafastSchemaConfig): GraphQLSchema {
 
     for (const [typeName, spec] of Object.entries(enums ?? {})) {
       const t = assertLocation(typeName, "enums");
-      const o = {} as Record<string, any>;
+      const o = Object.create(null) as Record<string, any>;
       plans[typeName] = o as any;
 
       const { values = {}, ...rest } = spec;
diff --git a/grafast/grafast/src/steps/object.ts b/grafast/grafast/src/steps/object.ts
@@ -151,10 +151,13 @@ export class ObjectStep<
       this.keys,
       tuple,
     );
-    const newObj = this.keys.reduce((memo, key, i) => {
-      memo[key] = tuple[i];
-      return memo;
-    }, {} as Partial<DataFromObjectSteps<TPlans>>) as DataFromObjectSteps<TPlans>;
+    const newObj = this.keys.reduce(
+      (memo, key, i) => {
+        memo[key] = tuple[i];
+        return memo;
+      },
+      Object.create(null) as Partial<DataFromObjectSteps<TPlans>>,
+    ) as DataFromObjectSteps<TPlans>;
 
     // Cache newObj so the same tuple values result in the exact same object.
     meta.results.push([tuple, newObj]);
diff --git a/grafast/grafast/src/utils.ts b/grafast/grafast/src/utils.ts
@@ -498,7 +498,7 @@ export function objectSpec<
           );
           return o;
         },
-        {} as GraphQLFieldConfigMap<any, Grafast.Context>,
+        Object.create(null) as GraphQLFieldConfigMap<any, Grafast.Context>,
       );
       return modifiedFields;
     },
@@ -585,7 +585,7 @@ export function objectFieldSpec<
         };
         return memo;
       }, Object.create(null))
-    : {};
+    : Object.create(null);
 
   return {
     ...spec,
@@ -640,10 +640,13 @@ function inputObjectSpec<TParent>(
     fields: () => {
       const fields =
         typeof spec.fields === "function" ? spec.fields() : spec.fields;
-      const modifiedFields = Object.keys(fields).reduce((o, key) => {
-        o[key] = inputObjectFieldSpec(fields[key], `${spec.name}.${key}`);
-        return o;
-      }, {} as GraphQLInputFieldConfigMap);
+      const modifiedFields = Object.keys(fields).reduce(
+        (o, key) => {
+          o[key] = inputObjectFieldSpec(fields[key], `${spec.name}.${key}`);
+          return o;
+        },
+        Object.create(null) as GraphQLInputFieldConfigMap,
+      );
       return modifiedFields;
     },
   };
diff --git a/grafast/ruru-components/src/hooks/useFetcher.ts b/grafast/ruru-components/src/hooks/useFetcher.ts
@@ -151,9 +151,11 @@ export const useFetcher = (
   }, [url]);
 
   const fetcherOptions = useMemo<CreateFetcherOptions>(() => {
-    const headers: Record<string, string> = explain
-      ? { "X-PostGraphile-Explain": "on", "X-GraphQL-Explain": "plan,sql" }
-      : {};
+    const headers: Record<string, string> = Object.create(null);
+    if (explain) {
+      headers["X-PostGraphile-Explain"] = "on";
+      headers["X-GraphQL-Explain"] = "plan,sql";
+    }
     return {
       url,
       headers,
diff --git a/graphile-build/graphile-build-pg/src/plugins/PgJWTPlugin.ts b/graphile-build/graphile-build-pg/src/plugins/PgJWTPlugin.ts
@@ -162,16 +162,19 @@ export const PgJWTPlugin: GraphileConfig.Plugin = {
             serialize: EXPORTABLE(
               (attributeNames, pgJwtSecret, pgJwtSignOptions, signJwt) =>
                 function serialize(value: any) {
-                  const token = attributeNames.reduce((memo, attributeName) => {
-                    if (attributeName === "exp") {
-                      memo[attributeName] = value[attributeName]
-                        ? parseFloat(value[attributeName])
-                        : undefined;
-                    } else {
-                      memo[attributeName] = value[attributeName];
-                    }
-                    return memo;
-                  }, {} as any);
+                  const token = attributeNames.reduce(
+                    (memo, attributeName) => {
+                      if (attributeName === "exp") {
+                        memo[attributeName] = value[attributeName]
+                          ? parseFloat(value[attributeName])
+                          : undefined;
+                      } else {
+                        memo[attributeName] = value[attributeName];
+                      }
+                      return memo;
+                    },
+                    Object.create(null) as any,
+                  );
                   const options = Object.assign(
                     Object.create(null),
                     pgJwtSignOptions,
diff --git a/graphile-build/graphile-build-pg/src/plugins/PgOrderAllAttributesPlugin.ts b/graphile-build/graphile-build-pg/src/plugins/PgOrderAllAttributesPlugin.ts
@@ -253,7 +253,7 @@ export const PgOrderAllAttributesPlugin: GraphileConfig.Plugin = {
               );
               return memo;
             },
-            {} as GraphQLEnumValueConfigMap,
+            Object.create(null) as GraphQLEnumValueConfigMap,
           ),
           `Adding order values from table '${pgCodec.name}'`,
         );
diff --git a/graphile-build/graphile-build/src/behavior.ts b/graphile-build/graphile-build/src/behavior.ts
@@ -189,7 +189,7 @@ export class Behavior {
           const behaviorString = key as keyof GraphileBuild.BehaviorStrings;
           if (!this.behaviorRegistry[behaviorString]) {
             this.behaviorRegistry[behaviorString] = {
-              entities: {},
+              entities: Object.create(null),
             };
           }
           const { description } = spec;
diff --git a/graphile-build/graphile-build/src/extend.ts b/graphile-build/graphile-build/src/extend.ts
@@ -26,7 +26,7 @@ export default function extend<
   if (isDev && (Array.isArray(base) || Array.isArray(extra))) {
     throw new Error(`Do not extend arrays!`);
   }
-  const hints = base[$$hints] || {};
+  const hints = base[$$hints] || Object.create(null);
 
   const keysB = Object.keys(extra);
   const extraHints = extra[$$hints] || {};
diff --git a/graphile-build/graphile-build/src/newWithHooks/index.ts b/graphile-build/graphile-build/src/newWithHooks/index.ts
@@ -1,4 +1,9 @@
-import type { BaseGraphQLArguments, GrafastFieldConfig, Step } from "grafast";
+import type {
+  BaseGraphQLArguments,
+  GrafastFieldConfig,
+  GrafastFieldConfigArgumentMap,
+  Step,
+} from "grafast";
 import { inputObjectFieldSpec, objectSpec } from "grafast";
 import type {
   GraphQLEnumTypeConfig,
@@ -255,7 +260,9 @@ export function makeNewWithHooks({ builder }: MakeNewWithHooksOptions): {
                   `|${typeName}.fields.${fieldName}`,
                 ) as typeof resolvedFieldSpec;
 
-                resolvedFieldSpec.args = resolvedFieldSpec.args ?? {};
+                resolvedFieldSpec.args =
+                  resolvedFieldSpec.args ??
+                  (Object.create(null) as GrafastFieldConfigArgumentMap);
                 const argsContext: GraphileBuild.ContextObjectFieldsFieldArgs =
                   { ...fieldContext };
                 const finalFieldSpec = {
@@ -448,7 +455,7 @@ export function makeNewWithHooks({ builder }: MakeNewWithHooksOptions): {
                     fieldContext,
                     `|${typeName}.fields.${fieldName}`,
                   );
-                  newSpec.args = newSpec.args || {};
+                  newSpec.args = newSpec.args || Object.create(null);
                   const argsContext = {
                     ...fieldContext,
                   };
diff --git a/graphile-build/graphile-utils/src/makeExtendSchemaPlugin.ts b/graphile-build/graphile-utils/src/makeExtendSchemaPlugin.ts
@@ -294,9 +294,9 @@ export function extendSchema(
             GraphQLSchema: {
               directives: [],
             },
-            GraphQLInputObjectType: {},
-            GraphQLObjectType: {},
-            GraphQLInterfaceType: {},
+            GraphQLInputObjectType: Object.create(null),
+            GraphQLObjectType: Object.create(null),
+            GraphQLInterfaceType: Object.create(null),
           };
           const newTypes: Array<NewTypeDef> = [];
           document.definitions.forEach((definition) => {
@@ -383,7 +383,7 @@ export function extendSchema(
           } else {
             // Hackily convert the new format into the old format. We'll do away with
             // this in future, but for now it's the easiest way to ensure compatibility
-            plans = {};
+            plans = Object.create(null);
             const definitionNodes = document.definitions.filter(
               (d) =>
                 d.kind === Kind.OBJECT_TYPE_DEFINITION ||
@@ -490,7 +490,7 @@ export function extendSchema(
 
             for (const [typeName, spec] of Object.entries(objects ?? {})) {
               const fields = assertLocation(typeName, "objects");
-              const o = {} as Record<string, any>;
+              const o = Object.create(null) as Record<string, any>;
               plans[typeName] = o as any;
 
               const { plans: planResolvers = {}, ...rest } = spec;
@@ -510,7 +510,7 @@ export function extendSchema(
 
             for (const [typeName, spec] of Object.entries(inputObjects ?? {})) {
               const fields = assertLocation(typeName, "inputObjects");
-              const o = {} as Record<string, any>;
+              const o = Object.create(null) as Record<string, any>;
               plans[typeName] = o as any;
 
               const { plans: planResolvers = {}, ...rest } = spec;
@@ -530,7 +530,7 @@ export function extendSchema(
 
             for (const [typeName, spec] of Object.entries(unions ?? {})) {
               assertLocation(typeName, "unions");
-              const o = {} as Record<string, any>;
+              const o = Object.create(null) as Record<string, any>;
               plans[typeName] = o as any;
 
               for (const [key, val] of Object.entries(spec)) {
@@ -541,7 +541,7 @@ export function extendSchema(
 
             for (const [typeName, spec] of Object.entries(interfaces ?? {})) {
               const fields = assertLocation(typeName, "interfaces");
-              const o = {} as Record<string, any>;
+              const o = Object.create(null) as Record<string, any>;
               plans[typeName] = o as any;
 
               const { fields: fieldConfigs = {}, ...rest } = spec;
@@ -589,7 +589,7 @@ export function extendSchema(
 
             for (const [typeName, spec] of Object.entries(enums ?? {})) {
               const enumValues = assertLocation(typeName, "enums");
-              const o = {} as Record<string, any>;
+              const o = Object.create(null) as Record<string, any>;
               plans[typeName] = o as any;
 
               const { values = {}, ...rest } = spec;
@@ -1375,7 +1375,7 @@ export function extendSchema(
         return memo;
       }, Object.create(null));
     }
-    return {};
+    return Object.create(null);
   }
 
   function getFields<TSource>(
@@ -1520,7 +1520,7 @@ export function extendSchema(
         }
       }, Object.create(null));
     }
-    return {};
+    return Object.create(null);
   }
 
   function getInputFields(
@@ -1571,7 +1571,7 @@ export function extendSchema(
         return memo;
       }, Object.create(null));
     }
-    return {};
+    return Object.create(null);
   }
 }
 
diff --git a/postgraphile/postgraphile/__tests__/schema/v4/jwt.1.export.mjs b/postgraphile/postgraphile/__tests__/schema/v4/jwt.1.export.mjs
@@ -8166,7 +8166,7 @@ export const scalars = {
           memo[attributeName] = value[attributeName];
         }
         return memo;
-      }, {});
+      }, Object.create(null));
       const options = Object.assign(Object.create(null), undefined, token.aud || undefined && undefined.audience ? null : {
         audience: "postgraphile"
       }, token.iss || undefined && undefined.issuer ? null : {
diff --git a/postgraphile/postgraphile/graphile.config.ts b/postgraphile/postgraphile/graphile.config.ts
@@ -331,9 +331,10 @@ const AddToResponseExtensionsPropertyPlugin: GraphileConfig.Plugin = {
       execute(next, event) {
         return next.callback((error, result) => {
           if (error) throw error;
-          const context = (event.args.contextValue ?? {}) as Grafast.Context;
+          const context = (event.args.contextValue ??
+            Object.create(null)) as Grafast.Context;
           if (!isAsyncIterable(result)) {
-            if (!result.extensions) result.extensions = {};
+            if (!result.extensions) result.extensions = Object.create(null);
             result.extensions.number = context.number;
           }
           return result;
diff --git a/utils/graphile-export/src/exportSchema.ts b/utils/graphile-export/src/exportSchema.ts
@@ -546,7 +546,7 @@ class CodegenFile {
         }
         return memo;
       },
-      {} as { [key: string]: t.Expression | null },
+      Object.create(null) as { [key: string]: t.Expression | null },
     );
     return t.objectExpression(objectToObjectProperties(obj));
   }
@@ -588,7 +588,7 @@ class CodegenFile {
         }
         return memo;
       },
-      {} as { [key: string]: t.Expression | null },
+      Object.create(null) as { [key: string]: t.Expression | null },
     );
     return t.objectExpression(objectToObjectProperties(obj));
   }
@@ -631,7 +631,7 @@ class CodegenFile {
         }
         return memo;
       },
-      {} as { [key: string]: t.Expression | null },
+      Object.create(null) as { [key: string]: t.Expression | null },
     );
     return t.objectExpression(objectToObjectProperties(obj));
   }

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ export class Behavior {`
`189`	`189`	`const behaviorString = key as keyof GraphileBuild.BehaviorStrings;`
`190`	`190`	`if (!this.behaviorRegistry[behaviorString]) {`
`191`	`191`	`this.behaviorRegistry[behaviorString] = {`
`192`		`- entities: {},`
	`192`	`+ entities: Object.create(null),`
`193`	`193`	`};`
`194`	`194`	`}`
`195`	`195`	`const { description } = spec;`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ export default function extend<`
`26`	`26`	`if (isDev && (Array.isArray(base) \|\| Array.isArray(extra))) {`
`27`	`27`	throw new Error(`Do not extend arrays!`);
`28`	`28`	`}`
`29`		`- const hints = base[$$hints] \|\| {};`
	`29`	`+ const hints = base[$$hints] \|\| Object.create(null);`
`30`	`30`
`31`	`31`	`const keysB = Object.keys(extra);`
`32`	`32`	`const extraHints = extra[$$hints] \|\| {};`