fix: prototype pollution vulnerabilities in utils.js and json-patch.js

[Copilot]

Four CodeQL-detected prototype-polluting assignment alerts in apis/conversion/src/utils.js and apis/supernova/src/json-patch.js where user-controlled keys could reach __proto__, constructor, or prototype assignments/deletions.

apis/conversion/src/utils.js

• Added isSafeKey guard blocking __proto__, constructor, and prototype
• Applied to intermediate path steps in setValue — without this, a reference like __proto__.polluted traversal would execute dataContainer.__proto__ = {}
• Replaced the incomplete propertyName !== '__proto__' && propertyName !== 'constructor' check (missing prototype) with isSafeKey, and changed the unsafe-key branch to early-return instead of falling through to delete dataContainer[propertyName]

// Before: incomplete check + dangerous fallthrough to delete
if (typeof value !== 'undefined' && propertyName !== '__proto__' && propertyName !== 'constructor') {
  dataContainer[propertyName] = value;
} else {
  delete dataContainer[propertyName]; // ran for unsafe keys too
}

// After: unified safe guard, clean early return
if (!isSafeKey(propertyName)) return;
if (typeof value !== 'undefined') {
  dataContainer[propertyName] = value;
} else {
  delete dataContainer[propertyName];
}

apis/supernova/src/json-patch.js

• Added isSafeKey(key) to the emptyObject delete guard — isSafeKey was already defined in this file; the emptyObject function simply wasn't using it

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.