diff --git a/index.js b/index.js
index c2adffb..d60835c 100644
--- a/index.js
+++ b/index.js
@@ -1,6 +1,8 @@
 function merge(dst, ...sources) {
     for (src of sources) {
       for (let key in src) {
+        //fix for prototype pollution
+        if (key === "__proto__" || key === "constructor") continue;
         let s = src[key], d = dst[key]
         if (Object(s) == s && Object(d) === d) {
           dst[key] = merge(d, s)
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 0000000..5349986
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,13 @@
+{
+  "name": "@viking04/merge",
+  "version": "1.0.1",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "@viking04/merge",
+      "version": "1.0.1",
+      "license": "MIT"
+    }
+  }
+}
diff --git a/test/test.js b/test/test.js
index 1bd96ba..20fbb9c 100644
--- a/test/test.js
+++ b/test/test.js
@@ -3,4 +3,9 @@ var a = {"a":{"red":"apple"}}
 var b = {"b":{"yellow":"mango"}}
 var c = {"a":{"orange":"orange"}}
 merge(a,b,c)
-console.log(a)
\ No newline at end of file
+console.log(a)
+
+//Test case for prototype pollution fix
+var prototype_pollution_test = JSON.parse('{"__proto__":{"polluted":true}}')
+merge(a,prototype_pollution_test)
+console.log({}.polluted)