From edb45fa7943293daa82b7c01d612e255390a152e Mon Sep 17 00:00:00 2001
From: Natallia Kazarynava <natallia_kazarynava@epam.com>
Date: Mon, 2 Oct 2023 09:33:17 +0000
Subject: [PATCH] security fix: Prevent prototype pollution by using an object
 without prototypes (via Object.create(null))

---
 purl.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/purl.js b/purl.js
index b5799c6..7422abe 100644
--- a/purl.js
+++ b/purl.js
@@ -67,8 +67,8 @@
     }
 
     function promote(parent, key) {
-        if (parent[key].length === 0) return parent[key] = {};
-        var t = {};
+        if (parent[key].length === 0) return parent[key] = Object.create(null);
+        var t = Object.create(null);
         for (var i in parent[key]) t[i] = parent[key][i];
         parent[key] = t;
         return t;
@@ -114,7 +114,7 @@
             parse(parts, parent, 'base', val);
         } else {
             if (!isint.test(key) && isArray(parent.base)) {
-                var t = {};
+                var t = Object.create(null);
                 for (var k in parent.base) t[k] = parent.base[k];
                 parent.base = t;
             }
@@ -145,7 +145,7 @@
             }
 
             return merge(ret, key, val);
-        }, { base: {} }).base;
+        }, { base: Object.create(null) }).base;
     }
 
     function set(obj, key, val) {
@@ -264,4 +264,4 @@
 
     return purl;
 
-});
+});
\ No newline at end of file