Do not leak Object.prototype when checking for core modules

nicolo-ribaudo · nicolo-ribaudo · commit 44ca60fa46bb · 2019-11-25T15:43:26.000+01:00
diff --git a/lib/core.js b/lib/core.js
@@ -44,7 +44,7 @@ function versionIncluded(specifierValue) {
 
 var data = require('./core.json');
 
-var core = {};
+var core = Object.create(null);
 for (var mod in data) { // eslint-disable-line no-restricted-syntax
     if (Object.prototype.hasOwnProperty.call(data, mod)) {
         core[mod] = versionIncluded(data[mod]);
diff --git a/test/core.js b/test/core.js
@@ -10,6 +10,9 @@ test('core modules', function (t) {
 
         st.ok(!resolve.isCore('seq'));
         st.ok(!resolve.isCore('../'));
+
+        st.ok(!resolve.isCore('toString'));
+
         st.end();
     });
 
