Fix prototype pollution vulnerability

README.md

@@ -13,6 +13,10 @@ Access deep properties using a path
 
 ## Changelog
 
+### 0.11.8
+
+* **SECURITY FIX**. Fix a prototype pollution vulnerability in the `del()`, `empty()`, `push()`, `insert()` functions when using the "inherited props" mode (e.g. when a new `object-path` instance is created with the `includeInheritedProps` option set to `true` or when using the `withInheritedProps` default instance. To help with preventing this type of vulnerability in the client code, also the `get()` function will now throw an exception if an object's magic properties are accessed. The vulnerability does not exist in the default instance exposed by object path (e.g `objectPath.del()`) if using version >= `0.11.0`.
+
 ### 0.11.6
 
 * **SECURITY FIX**. Fix a circumvention of the security fix released in 0.11.5 when non-string/non-numeric values are used in the path (e.g. `op.withInheritedProps.set({}, [['__proto__'], 'polluted'], true)`)
@@ -176,6 +180,8 @@ objectPath.withInheritedProps.get(obj, 'notOwn.prop');
 objectPath.set(obj, 'notOwn.prop', 'b');
 ```
 
+**NOTE**: For security reasons `object-path` will throw an exception when trying to access an object's magic properties (e.g. `__proto__`, `constructor`) when in "inherited props" mode.
+
 ### Immutability
 
 If you are looking for an *immutable* alternative of this library, you can take a look at: [object-path-immutable](https://github.com/mariocasciaro/object-path-immutable)

SECURITY.md

@@ -0,0 +1,7 @@
+
+Reporting a security issue
+===========
+
+Please report any suspected security vulnerabilities responsibly to protect the users of this package. Try not share them publicly before the issue is confirmed and a fix is produced. 
+
+Send us an email at report @ mario.fyi to privately report any security vulnerability to us.