{"id":13743328,"url":"https://github.com/snyk-labs/nopp","last_synced_at":"2026-02-26T11:15:14.018Z","repository":{"id":43822453,"uuid":"393048877","full_name":"snyk-labs/nopp","owner":"snyk-labs","description":"Tiny helper to protect against Prototype Pollution vulnerabilities in your application regardless if they introduced in your own code or in 3rd-party code","archived":false,"fork":false,"pushed_at":"2022-11-02T15:37:39.000Z","size":20,"stargazers_count":33,"open_issues_count":2,"forks_count":7,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-11-27T23:46:48.213Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snyk-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-08-05T13:16:25.000Z","updated_at":"2025-08-07T04:00:57.000Z","dependencies_parsed_at":"2023-01-21T07:15:49.758Z","dependency_job_id":null,"html_url":"https://github.com/snyk-labs/nopp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/snyk-labs/nopp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fnopp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fnopp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fnopp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fnopp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snyk-labs","download_url":"https://codeload.github.com/snyk-labs/nopp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fnopp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29856984,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-26T08:51:08.701Z","status":"ssl_error","status_checked_at":"2026-02-26T08:50:19.607Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T05:00:44.672Z","updated_at":"2026-02-26T11:15:13.981Z","avatar_url":"https://github.com/snyk-labs.png","language":"JavaScript","funding_links":[],"categories":["Security Hardening"],"sub_categories":[],"readme":"# nopp\n\n`NoPP` (No Prototype Pollution) – tiny helper to protect against Prototype\nPollution vulnerabilities in your application, regardless if they introduced in\nyour own code or by 3rd-party code.\n\n## How this package works?\n\nBy calling [Object.freeze](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/freeze)\nfor some built-in JavaScript objects.\n\n\u003e The `Object.freeze()` method freezes an object. A frozen object can no longer be changed; freezing an object prevents new properties from being added to it, existing properties from being removed, prevents changing the enumerability, configurability, or writability of existing properties, and prevents the values of existing properties from being changed.\n\nWe believe that there are legitimate cases of prototype changes, but they should\nhappen only during the initialization step. Hence, we recommend including\nthis package as the last one in your application code.\n\n## Why should you use this package?\n\nPrototype Pollution vulnerabilities are about 25% of all discovered\nvulnerabilities in the JS ecosystem and probably the most popular ones.\n\nWhile ~25% of them are not fixable by upgrading to a newer version, this\npackage will protect you even in case you're using a package that contains\na Prototype Pollution vulnerability.\n\n## What type of applications should use this package?\n\n- CLI applications\n- Web applications\n- Front-end application\n\n## You should not use this package in case\n\n- Your code is a library (used as a dependency for other projects)\n- You do modify prototypes of JavaScript built-in objects in run time\n\n## How to use\n\n```shell\nnpm install nopp\n```\n\n```javascript\n// ... all your require calls ...\nrequire('nopp');\n```\n\nor if you use mjs syntax\n\n```javascript\n// ... all your import calls ...\nimport 'nopp';\n```\n\n## Example\n\n```javascript\nconst _ = require('lodash'); // Version 4.17.4 is vulnerable: https://security.snyk.io/vuln/npm:lodash:20180130\n\n_.merge({}, JSON.parse('{\"__proto__\":{\"foo\":\"polluted\"}}'));\nconsole.log(({}).foo); // polluted\n\nrequire('nopp');\n\n_.merge({}, JSON.parse('{\"__proto__\":{\"bar\":\"polluted\"}}'));\nconsole.log(({}).bar); // undefined\n\n```\n\n## Edge cases\n\nIn some rare cases, attempts to exploit the Prototype Pollution vulnerability\ncan cause `TypeError: Cannot redefine property` or\n`TypeError: Cannot assign to read only property` exception and cause DoS\nvulnerability. Please make sure you have `uncaughtException` handler\nimplemented.\n\n## FAQ\n\n### Should I prefer `nopp` instead of the `--frozen-intrinsics` Node.js flag?\n\n[`--frozen-intrinsics`](https://nodejs.org/docs/latest-v17.x/api/cli.html#--frozen-intrinsics) added in Node.js v11.12.0 and currently has experimental stability level.\n\nThe main purpose of the flag is exactly the same as of this package – to protect runtime from unintended modifications of prototypes.\n\nWe believe there are numerous reasons why you may prefer using `nopp`:\n\n1. You control when to import the package hence when to freeze prototypes. In many cases application actually modify prototypes a bit to add some tweaks or polyfills. In such cases usage of `--frozen-intrinsics` will be not possible without significant application code refactoring. Unlike `nopp` which should be imported after all other packages and in most of the cases cause no backward compatibility issues.\n2. `nopp` is also applicable for client-side applications. You may prefer to use it for consistency between backend Node.js code and client-side application code.\n\n### Is the `--disable-proto` Node.js flag enough to be protected?\n\nNo.\n\n[`--disable-proto`](https://nodejs.org/docs/latest-v17.x/api/cli.html#--disable-protomode) added in Node.js v12.17.0. It is able to delete `__proto__` property from the runtime completely and prevent some prototype pollution attack payloads.\n\nUnfortunately, unlike `nopp`, it doesn't protect your application against `constructor.prototype` type of payloads.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk-labs%2Fnopp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnyk-labs%2Fnopp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk-labs%2Fnopp/lists"}