mariocasciaro · Oct 10, 2020 · on Dec 29, 2020 · on Dec 29, 2020
diff --git a/‎index.js
+4 b/‎index.js
+4
diff --git a/‎test.js
+761-719 b/‎test.js
+761-719
@@ -112,6 +112,10 @@
       }
       var currentPath = path[0];
       var currentValue = getShallowProperty(obj, currentPath);
+      if (options.includeInheritedProps && (currentPath === '__proto__' ||
+        (currentPath === 'constructor' && typeof currentValue === 'function'))) {
+        throw new Error('For security reasons, object\'s magic properties cannot be set')
+      }
       if (path.length === 1) {
         if (currentValue === void 0 || !doNotReplace) {
           obj[currentPath] = value;