Use Object.create(null) over {} to avoid prototype issues (#4634)

benjie · yaacovCR · web-flow · commit e09f7dafbc30 · 2026-04-16T14:51:10.000+03:00
Forward-port of #4631. From #4631 (on v16): > Object.create(null) is generally safer since it is not vulnerable to prototype pollution in user code. To avoid breaking changes I've returned { ...obj } thus ensuring that the returned object still has the default Object prototype. This PR on v17 skips that latter portion, i.e. on v17 this PR returns `obj` rather than `{ ...obj }`, a BREAKING CHANGE for v17 which minimizes the performance regression. --------- Co-authored-by: Yaacov Rydzinski <yaacovCR@gmail.com>
diff --git a/src/execution/values.ts b/src/execution/values.ts
@@ -205,8 +205,8 @@ export function getArgumentValues(
   variableValues?: Maybe<VariableValues>,
   fragmentVariableValues?: Maybe<FragmentVariableValues>,
   hideSuggestions?: Maybe<boolean>,
-): { [argument: string]: unknown } {
-  const coercedValues: { [argument: string]: unknown } = {};
+): ObjMap<unknown> {
+  const coercedValues: ObjMap<unknown> = Object.create(null);
 
   const argumentNodes = node.arguments ?? [];
   const argNodeMap = new Map(argumentNodes.map((arg) => [arg.name.value, arg]));
diff --git a/src/utilities/coerceInputValue.ts b/src/utilities/coerceInputValue.ts
@@ -2,6 +2,7 @@ import { invariant } from '../jsutils/invariant.js';
 import { isIterableObject } from '../jsutils/isIterableObject.js';
 import { isObjectLike } from '../jsutils/isObjectLike.js';
 import type { Maybe } from '../jsutils/Maybe.js';
+import type { ObjMap } from '../jsutils/ObjMap.js';
 
 import type { ValueNode, VariableNode } from '../language/ast.js';
 import { Kind } from '../language/kinds.js';
@@ -69,7 +70,7 @@ export function coerceInputValue(
       return; // Invalid: intentionally return no value.
     }
 
-    const coercedValue: any = {};
+    const coercedValue: ObjMap<unknown> = Object.create(null);
     const fieldDefs = type.getFields();
     const hasUndefinedField = Object.keys(inputValue).some(
       (name) => !Object.hasOwn(fieldDefs, name),
@@ -211,7 +212,7 @@ export function coerceInputLiteral(
       return; // Invalid: intentionally return no value.
     }
 
-    const coercedValue: { [field: string]: unknown } = {};
+    const coercedValue: ObjMap<unknown> = Object.create(null);
     const fieldDefs = type.getFields();
     const hasUndefinedField = valueNode.fields.some(
       (field) => !Object.hasOwn(fieldDefs, field.name.value),
