File CVE-2021-44906.patch of Package nodejs14.23946

Index: node-v8.17.0/deps/npm/node_modules/minimist/index.js
===================================================================
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/index.js
+++ node-v8.17.0/deps/npm/node_modules/minimist/index.js
@@ -70,7 +70,7 @@ module.exports = function (args, opts) {
         var o = obj;
         for (var i = 0; i < keys.length-1; i++) {
             var key = keys[i];
-            if (key === '__proto__') return;
+            if (isConstructorOrProto(o, key)) return;
             if (o[key] === undefined) o[key] = {};
             if (o[key] === Object.prototype || o[key] === Number.prototype
                 || o[key] === String.prototype) o[key] = {};
@@ -79,7 +79,7 @@ module.exports = function (args, opts) {
         }
 
         var key = keys[keys.length - 1];
-        if (key === '__proto__') return;
+        if (isConstructorOrProto(o, key)) return;
         if (o === Object.prototype || o === Number.prototype
             || o === String.prototype) o = {};
         if (o === Array.prototype) o = [];
@@ -243,3 +243,7 @@ function isNumber (x) {
     return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
 }
 
+
+function isConstructorOrProto (obj, key) {
+    return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
+}
Index: node-v8.17.0/deps/npm/node_modules/minimist/package.json
===================================================================
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/package.json
+++ node-v8.17.0/deps/npm/node_modules/minimist/package.json
@@ -69,5 +69,5 @@
       "opera/12"
     ]
   },
-  "version": "1.2.5"
+  "version": "1.2.6"
 }
Index: node-v8.17.0/deps/npm/node_modules/minimist/readme.markdown
===================================================================
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/readme.markdown
+++ node-v8.17.0/deps/npm/node_modules/minimist/readme.markdown
@@ -34,7 +34,10 @@ $ node example/parse.js -x 3 -y 4 -n5 -a
 Previous versions had a prototype pollution bug that could cause privilege
 escalation in some circumstances when handling untrusted user input.
 
-Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
+Please use version 1.2.6 or later:
+
+* https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 (version <=1.2.5)
+* https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 (version <=1.2.3)
 
 # methods
 
Index: node-v8.17.0/deps/npm/node_modules/minimist/test/proto.js
===================================================================
--- node-v8.17.0.orig/deps/npm/node_modules/minimist/test/proto.js
+++ node-v8.17.0/deps/npm/node_modules/minimist/test/proto.js
@@ -42,3 +42,19 @@ test('proto pollution (constructor)', fu
     t.equal(argv.y, undefined);
     t.end();
 });
+
+test('proto pollution (constructor function)', function (t) {
+    var argv = parse(['--_.concat.constructor.prototype.y', '123']);
+    function fnToBeTested() {}
+    t.equal(fnToBeTested.y, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+});
+
+// powered by snyk - https://github.com/backstage/backstage/issues/10343
+test('proto pollution (constructor function) snyk', function (t) {
+    var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
+    t.equal((function(){}).foo, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+})