From 63e7ed05aa4b1889ec2f3b196426db4500cbda94 Mon Sep 17 00:00:00 2001
From: substack <substack@bits.coop>
Date: Tue, 10 Mar 2020 08:36:30 -1000
Subject: [PATCH] don't assign onto __proto__

---
 index.js      | 1 +
 test/proto.js | 1 +
 2 files changed, 2 insertions(+)

diff --git a/index.js b/index.js
index 388a963..3b13f44 100644
--- a/index.js
+++ b/index.js
@@ -70,6 +70,7 @@ module.exports = function (args, opts) {
         var o = obj;
         keys.slice(0,-1).forEach(function (key) {
             if (o[key] === undefined) o[key] = {};
+            if (o[key] === {}.__proto__) o[key] = {};
             o = o[key];
         });
 
diff --git a/test/proto.js b/test/proto.js
index 015ea60..87490c3 100644
--- a/test/proto.js
+++ b/test/proto.js
@@ -4,5 +4,6 @@ var test = require('tape');
 test('proto pollution', function (t) {
     var argv = parse(['--__proto__.x','123']);
     t.equal({}.x, undefined);
+    t.equal(argv.__proto__.x, 123);
     t.end();
 });