From 17b90d0be692f1704e4623731163285b0480520f Mon Sep 17 00:00:00 2001
From: Jason Saayman <jasonsaayman@gmail.com>
Date: Sat, 18 Apr 2026 15:14:06 +0200
Subject: [PATCH] fix(security): guard mergeConfig value reads with hasOwnProp

---
 lib/core/mergeConfig.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/core/mergeConfig.js b/lib/core/mergeConfig.js
index 38ac341f..ce7afb6d 100644
--- a/lib/core/mergeConfig.js
+++ b/lib/core/mergeConfig.js
@@ -99,7 +99,9 @@ export default function mergeConfig(config1, config2) {
   utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
     if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') return;
     const merge = utils.hasOwnProp(mergeMap, prop) ? mergeMap[prop] : mergeDeepProperties;
-    const configValue = merge(config1[prop], config2[prop], prop);
+    const a = utils.hasOwnProp(config1, prop) ? config1[prop] : undefined;
+    const b = utils.hasOwnProp(config2, prop) ? config2[prop] : undefined;
+    const configValue = merge(a, b, prop);
     (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
   });