noPrototypeBuiltins (since v12.0.0)
Disallow direct use of Object.prototype builtins.
ECMAScript 5.1 added Object.create which allows the creation of an object with a custom prototype. This pattern is often used for objects used as Maps. However, this pattern can lead to errors if something else relies on prototype properties/methods. Moreover, the methods could be shadowed, this can lead to random bugs and denial of service vulnerabilities. For example, calling hasOwnProperty directly on parsed JSON like {"hasOwnProperty": 1} could lead to vulnerabilities. To avoid subtle bugs like this, you should call these methods from Object.prototype. For example, foo.isPrototypeof(bar) should be replaced with Object.prototype.isPrototypeof.call(foo, "bar") As for the hasOwn method, foo.hasOwn("bar") should be replaced with Object.hasOwn(foo, "bar").
Examples
Invalid
var invalid = foo.hasOwnProperty("bar");nursery/noPrototypeBuiltins.js:1:19 lint/nursery/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method 'hasOwnProperty' from target object.
> 1 │ var invalid = foo.hasOwnProperty("bar");
│ ^^^^^^^^^^^^^^
2 │
ℹ It's recommended using Object.hasOwn() instead of using Object.hasOwnProperty().
ℹ See MDN web docs for more details.
var invalid = foo.isPrototypeOf(bar);nursery/noPrototypeBuiltins.js:1:19 lint/nursery/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method 'isPrototypeOf' from target object.
> 1 │ var invalid = foo.isPrototypeOf(bar);
│ ^^^^^^^^^^^^^
2 │
var invalid = foo.propertyIsEnumerable("bar");nursery/noPrototypeBuiltins.js:1:19 lint/nursery/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method 'propertyIsEnumerable' from target object.
> 1 │ var invalid = foo.propertyIsEnumerable("bar");
│ ^^^^^^^^^^^^^^^^^^^^
2 │
Valid
var valid = Object.hasOwn(foo, "bar");
var valid = Object.prototype.isPrototypeOf.call(foo, bar);
var valid = {}.propertyIsEnumerable.call(foo, "bar");