.travis.yml

@@ -1,6 +1,8 @@
 language: node_js
 node_js:
-  - lts/*
+# Using node 12.18.2 instead of lts
+# https://github.com/chartjs/Chart.js/issues/7863#issuecomment-705222874
+  - "12.18.2"
 
 before_install:
   - "export CHROME_BIN=/usr/bin/google-chrome"

docs/getting-started/integration.md

@@ -39,9 +39,7 @@ var myChart = new Chart(ctx, {...});
 ```javascript
 // Rollup
 {
-    external: {
-        ['moment']
-    }
+    external: ['moment']
 }
 ```
 

package.json

@@ -2,7 +2,7 @@
   "name": "chart.js",
   "homepage": "https://www.chartjs.org",
   "description": "Simple HTML5 charts using the canvas element.",
-  "version": "2.9.3",
+  "version": "2.9.4",
   "license": "MIT",
   "jsdelivr": "dist/Chart.min.js",
   "unpkg": "dist/Chart.min.js",

scripts/deploy.sh

@@ -8,7 +8,7 @@ TARGET_REPO_URL="https://$GITHUB_AUTH_TOKEN@github.com/chartjs/chartjs.github.io
 VERSION_REGEX='[[:digit:]]+.[[:digit:]]+.[[:digit:]]+(-.*)?'
 
 # Make sure that this script is executed only for the release and master branches
-if [ "$TRAVIS_BRANCH" == "release" ]; then
+if [ "$TRAVIS_BRANCH" =~ ^release.*$ ]; then
     # Travis executes this script from the repository root, so at the same level than package.json
     VERSION=$(node -p -e "require('./package.json').version")
 elif [ "$TRAVIS_BRANCH" == "master" ]; then

scripts/release.sh

@@ -2,7 +2,7 @@
 
 set -e
 
-if [ "$TRAVIS_BRANCH" != "release" ]; then
+if [[ ! "$TRAVIS_BRANCH" =~ ^release.*$ ]]; then
     echo "Skipping release because this is not the 'release' branch"
     exit 0
 fi

src/core/core.controller.js

@@ -41,7 +41,7 @@ defaults._set('global', {
  * returns a deep copy of the result, thus doesn't alter inputs.
  */
 function mergeScaleConfig(/* config objects ... */) {
-	return helpers.merge({}, [].slice.call(arguments), {
+	return helpers.merge(Object.create(null), [].slice.call(arguments), {
 		merger: function(key, target, source, options) {
 			if (key === 'xAxes' || key === 'yAxes') {
 				var slen = source[key].length;
@@ -81,9 +81,9 @@ function mergeScaleConfig(/* config objects ... */) {
  * a deep copy of the result, thus doesn't alter inputs.
  */
 function mergeConfig(/* config objects ... */) {
-	return helpers.merge({}, [].slice.call(arguments), {
+	return helpers.merge(Object.create(null), [].slice.call(arguments), {
 		merger: function(key, target, source, options) {
-			var tval = target[key] || {};
+			var tval = target[key] || Object.create(null);
 			var sval = source[key];
 
 			if (key === 'scales') {
@@ -100,7 +100,7 @@ function mergeConfig(/* config objects ... */) {
 }
 
 function initConfig(config) {
-	config = config || {};
+	config = config || Object.create(null);
 
 	// Do NOT use mergeConfig for the data object because this method merges arrays
 	// and so would change references to labels and datasets, preventing data updates.

src/core/core.datasetController.js

@@ -275,7 +275,7 @@ helpers.extend(DatasetController.prototype, {
 	 */
 	_configure: function() {
 		var me = this;
-		me._config = helpers.merge({}, [
+		me._config = helpers.merge(Object.create(null), [
 			me.chart.options.datasets[me._type],
 			me.getDataset(),
 		], {

src/core/core.layouts.js

@@ -99,7 +99,8 @@ function updateDims(chartArea, params, layout) {
 		chartArea.h = newHeight;
 
 		// return true if chart area changed in layout's direction
-		return layout.horizontal ? newWidth !== chartArea.w : newHeight !== chartArea.h;
+		var sizes = layout.horizontal ? [newWidth, chartArea.w] : [newHeight, chartArea.h];
+		return sizes[0] !== sizes[1] && (!isNaN(sizes[0]) || !isNaN(sizes[1]));
 	}
 }
 

src/core/core.scale.js

@@ -130,6 +130,8 @@ function computeLabelSizes(ctx, tickFonts, ticks, caches) {
 	var widths = [];
 	var heights = [];
 	var offsets = [];
+	var widestLabelSize = 0;
+	var highestLabelSize = 0;
 	var i, j, jlen, label, tickFont, fontString, cache, lineHeight, width, height, nestedLabel, widest, highest;
 
 	for (i = 0; i < length; ++i) {
@@ -157,11 +159,13 @@ function computeLabelSizes(ctx, tickFonts, ticks, caches) {
 		widths.push(width);
 		heights.push(height);
 		offsets.push(lineHeight / 2);
+		widestLabelSize = Math.max(width, widestLabelSize);
+		highestLabelSize = Math.max(height, highestLabelSize);
 	}
 	garbageCollect(caches, length);
 
-	widest = widths.indexOf(Math.max.apply(null, widths));
-	highest = heights.indexOf(Math.max.apply(null, heights));
+	widest = widths.indexOf(widestLabelSize);
+	highest = heights.indexOf(highestLabelSize);
 
 	function valueAt(idx) {
 		return {

src/core/core.scaleService.js

@@ -22,7 +22,7 @@ module.exports = {
 	},
 	getScaleDefaults: function(type) {
 		// Return the scale defaults merged with the global settings so that we always use the latest ones
-		return this.defaults.hasOwnProperty(type) ? helpers.merge({}, [defaults.scale, this.defaults[type]]) : {};
+		return this.defaults.hasOwnProperty(type) ? helpers.merge(Object.create(null), [defaults.scale, this.defaults[type]]) : {};
 	},
 	updateScaleDefaults: function(type, additions) {
 		var me = this;

src/helpers/helpers.core.js

@@ -1,5 +1,9 @@
 'use strict';
 
+function isValidKey(key) {
+	return ['__proto__', 'prototype', 'constructor'].indexOf(key) === -1;
+}
+
 /**
  * @namespace Chart.helpers
  */
@@ -175,7 +179,7 @@ var helpers = {
 		}
 
 		if (helpers.isObject(source)) {
-			var target = {};
+			var target = Object.create(source);
 			var keys = Object.keys(source);
 			var klen = keys.length;
 			var k = 0;
@@ -196,6 +200,12 @@ var helpers = {
 	 * @private
 	 */
 	_merger: function(key, target, source, options) {
+		if (!isValidKey(key)) {
+			// We want to ensure we do not copy prototypes over
+			// as this can pollute global namespaces
+			return;
+		}
+
 		var tval = target[key];
 		var sval = source[key];
 
@@ -211,6 +221,12 @@ var helpers = {
 	 * @private
 	 */
 	_mergerIf: function(key, target, source) {
+		if (!isValidKey(key)) {
+			// We want to ensure we do not copy prototypes over
+			// as this can pollute global namespaces
+			return;
+		}
+
 		var tval = target[key];
 		var sval = source[key];
 

test/specs/core.layouts.tests.js

@@ -653,5 +653,45 @@ describe('Chart.layouts', function() {
 			expect(yAxis.width).toBeCloseToPixel(33);
 			expect(yAxis.ticks).toEqual(['2.5', '2.0', '1.5', '1.0', '0.5', '0']);
 		});
+
+		it('should correctly handle NaN dimensions', function() {
+
+			// issue #7761: Maximum call stack size exceeded
+			var chartContainer = document.createElement('div');
+			chartContainer.style.width = '600px';
+			chartContainer.style.height = '400px';
+
+			var chartCanvas = document.createElement('canvas');
+			chartContainer.appendChild(chartCanvas);
+
+			var chart = new Chart(chartCanvas, {
+				type: 'line',
+				responsive: true,
+				data: {
+					labels: ['Red', 'Blue', 'Yellow', 'Green', 'Purple', 'Orange'],
+					datasets: [{
+						label: '# of Votes',
+						data: [12, 19, 3, 5, 2, 3]
+					}]
+				},
+				options: {
+					scales: {
+						yAxes: [{
+							type: 'linear',
+							label: 'first axis',
+							position: 'right'
+						}, {
+							type: 'linear',
+							label: 'second axis',
+							position: 'right'
+						}]
+					}
+				}
+			});
+
+			expect(chart.width).toBeNaN();
+			expect(chart.height).toBeNaN();
+
+		});
 	});
 });

test/specs/helpers.core.tests.js

@@ -265,6 +265,11 @@ describe('Chart.helpers.core', function() {
 	});
 
 	describe('clone', function() {
+		it('should not allow prototype pollution', function() {
+			var test = helpers.clone(JSON.parse('{"__proto__":{"polluted": true}}'));
+			expect(test.prototype).toBeUndefined();
+			expect(Object.prototype.polluted).toBeUndefined();
+		});
 		it('should clone primitive values', function() {
 			expect(helpers.clone()).toBe(undefined);
 			expect(helpers.clone(null)).toBe(null);
@@ -301,9 +306,33 @@ describe('Chart.helpers.core', function() {
 			expect(output.o.a).not.toBe(a1);
 			expect(output.a).not.toBe(a0);
 		});
+		it('should preserve prototype of objects', function() {
+			// https://github.com/chartjs/Chart.js/issues/7340
+			function MyConfigObject(s) {
+				this._s = s;
+			}
+			MyConfigObject.prototype.func = function() {
+				return 10;
+			};
+			var original = new MyConfigObject('something');
+			var output = helpers.merge({}, {
+				plugins: [{
+					test: original
+				}]
+			});
+			var clone = output.plugins[0].test;
+			expect(clone).toBeInstanceOf(MyConfigObject);
+			expect(clone).toEqual(original);
+			expect(clone === original).toBeFalse();
+		});
 	});
 
 	describe('merge', function() {
+		it('should not allow prototype pollution', function() {
+			var test = helpers.merge({}, JSON.parse('{"__proto__":{"polluted": true}}'));
+			expect(test.prototype).toBeUndefined();
+			expect(Object.prototype.polluted).toBeUndefined();
+		});
 		it('should update target and return it', function() {
 			var target = {a: 1};
 			var result = helpers.merge(target, {a: 2, b: 'foo'});