Use setprototypeof module to replace __proto__ setting

closes #1967 closes #2613 closes #3103 closes #3164
2025-12-06 12:19:51 +01:00 · 2017-02-23 01:56:58 -05:00 · 2017-02-23 01:56:58 -05:00 · 6022567c75
commit 6022567c75
parent 12ff56e1e4
5 changed files with 20 additions and 9 deletions
--- a/History.md
+++ b/History.md
@ -6,6 +6,7 @@ unreleased
    - Improves compatibility with Node.js 8 nightly
  * Skip routing when `req.url` is not set
  * Use `Object.create` to setup request & response prototypes
+  * Use `setprototypeof` module to replace `__proto__` setting
  * Use `statuses` instead of `http` module for status messages
  * deps: debug@2.6.1
    - Allow colors in workers
--- a/lib/application.js
+++ b/lib/application.js
@ -28,6 +28,7 @@ var deprecate = require('depd')('express');
 var flatten = require('array-flatten');
 var merge = require('utils-merge');
 var resolve = require('path').resolve;
+var setPrototyeOf = require('setprototypeof')
 var slice = Array.prototype.slice;

 /**
@ -94,10 +95,10 @@ app.defaultConfiguration = function defaultConfiguration() {
    }

    // inherit protos
-    this.request.__proto__ = parent.request;
-    this.response.__proto__ = parent.response;
-    this.engines.__proto__ = parent.engines;
-    this.settings.__proto__ = parent.settings;
+    setPrototyeOf(this.request, parent.request)
+    setPrototyeOf(this.response, parent.response)
+    setPrototyeOf(this.engines, parent.engines)
+    setPrototyeOf(this.settings, parent.settings)
  });

  // setup locals
@ -227,8 +228,8 @@ app.use = function use(fn) {
    router.use(path, function mounted_app(req, res, next) {
      var orig = req.app;
      fn.handle(req, res, function (err) {
-        req.__proto__ = orig.request;
-        res.__proto__ = orig.response;
+        setPrototyeOf(req, orig.request)
+        setPrototyeOf(res, orig.response)
        next(err);
      });
    });
--- a/lib/middleware/init.js
+++ b/lib/middleware/init.js
@ -8,6 +8,13 @@

 'use strict';

+/**
+ * Module dependencies.
+ * @private
+ */
+
+var setPrototyeOf = require('setprototypeof')
+
 /**
 * Initialization middleware, exposing the
 * request and response to each other, as well
@ -25,8 +32,8 @@ exports.init = function(app){
    res.req = req;
    req.next = next;

-    req.__proto__ = app.request;
-    res.__proto__ = app.response;
+    setPrototyeOf(req, app.request)
+    setPrototyeOf(res, app.response)

    res.locals = res.locals || Object.create(null);

--- a/lib/router/index.js
+++ b/lib/router/index.js
@ -21,6 +21,7 @@ var debug = require('debug')('express:router');
 var deprecate = require('depd')('express');
 var flatten = require('array-flatten');
 var parseUrl = require('parseurl');
+var setPrototypeOf = require('setprototypeof')

 /**
 * Module variables.
@ -47,7 +48,7 @@ var proto = module.exports = function(options) {
  }

  // mixin Router class functions
-  router.__proto__ = proto;
+  setPrototypeOf(router, proto)

  router.params = {};
  router._params = [];
--- a/package.json
+++ b/package.json
@ -50,6 +50,7 @@
    "range-parser": "~1.2.0",
    "send": "0.14.2",
    "serve-static": "~1.11.2",
+    "setprototypeof": "1.0.3",
    "statuses": "~1.3.1",
    "type-is": "~1.6.14",
    "utils-merge": "1.0.0",