Ensure Object.prototype is not augmented by _.merge.

lodash.js

@@ -1224,20 +1224,6 @@
     return result;
   }
 
-  /**
-   * Gets the value at `key`, unless `key` is "__proto__".
-   *
-   * @private
-   * @param {Object} object The object to query.
-   * @param {string} key The key of the property to get.
-   * @returns {*} Returns the property value.
-   */
-  function safeGet(object, key) {
-    return key == '__proto__'
-      ? undefined
-      : object[key];
-  }
-
   /**
    * Converts `set` to an array of its values.
    *
@@ -6618,6 +6604,29 @@
       return array;
     }
 
+    /**
+     * Gets the value at `key`, unless `key` is "__proto__" or "prototype".
+     *
+     * @private
+     * @param {Object} object The object to query.
+     * @param {string} key The key of the property to get.
+     * @returns {*} Returns the property value.
+     */
+    function safeGet(object, key) {
+      if (key == '__proto__') {
+        return;
+      }
+
+      var value = object[key];
+
+      if (key == 'prototype' &&
+          value === objectProto) {
+        return;
+      }
+
+      return value;
+    }
+
     /**
      * Sets metadata for `func`.
      *

test/test.js

@@ -7554,6 +7554,17 @@
         skipAssert(assert);
       }
     });
+
+    QUnit.test('should not merge `Object.prototype` properties', function(assert) {
+      assert.expect(1);
+
+      _.merge({}, { 'constructor': { 'prototype': { 'a': 1 } } });
+
+      var actual = 'a' in objectProto;
+      delete objectProto.a;
+
+      assert.notOk(actual);
+    });
   }());
 
   /*--------------------------------------------------------------------------*/