From 32c98041515d68047ff8bb9a9f81211ff8960b5f Mon Sep 17 00:00:00 2001
From: maryliag <marylia.gutierrez@grafana.com>
Date: Mon, 13 Apr 2026 11:49:07 -0400
Subject: [PATCH 1/2] feat(opentelemetry-core): add extra checks on internal
 merge function for safety

---
 CHANGELOG.md                                   |  1 +
 packages/opentelemetry-core/src/utils/merge.ts | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8328794952e..47bdcef26f2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ For notes on migrating to 2.x / 0.200.x see [the upgrade guide](doc/upgrade-to-2
 
 * feat(sdk-metrics): adds the cardinalitySelector argument to PeriodicExportingMetricReaders
   [#6460](https://github.com/open-telemetry/opentelemetry-js/pull/6460) @starzlocker
+* feat(opentelemetry-core): add extra checks on internal merge function for safety [#x](https://github.com/open-telemetry/opentelemetry-js/pull/x) @maryliag
 
 ### :boom: Breaking Changes
 
diff --git a/packages/opentelemetry-core/src/utils/merge.ts b/packages/opentelemetry-core/src/utils/merge.ts
index 908df5735d8..4750a9d8a0f 100644
--- a/packages/opentelemetry-core/src/utils/merge.ts
+++ b/packages/opentelemetry-core/src/utils/merge.ts
@@ -69,6 +69,13 @@ function mergeTwoObjects(
       const keys = Object.keys(two);
       for (let i = 0, j = keys.length; i < j; i++) {
         const key = keys[i];
+        if (
+          key === '__proto__' ||
+          key === 'constructor' ||
+          key === 'prototype'
+        ) {
+          continue;
+        }
         result[key] = takeValue(two[key]);
       }
     }
@@ -82,6 +89,13 @@ function mergeTwoObjects(
 
       for (let i = 0, j = keys.length; i < j; i++) {
         const key = keys[i];
+        if (
+          key === '__proto__' ||
+          key === 'constructor' ||
+          key === 'prototype'
+        ) {
+          continue;
+        }
         const twoValue = two[key];
 
         if (isPrimitive(twoValue)) {

From fc92b57293049daa8869f2507897437f7a49d121 Mon Sep 17 00:00:00 2001
From: maryliag <marylia.gutierrez@grafana.com>
Date: Mon, 13 Apr 2026 12:16:03 -0400
Subject: [PATCH 2/2] changelog

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47bdcef26f2..95b7c82ad3a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,7 +12,7 @@ For notes on migrating to 2.x / 0.200.x see [the upgrade guide](doc/upgrade-to-2
 
 * feat(sdk-metrics): adds the cardinalitySelector argument to PeriodicExportingMetricReaders
   [#6460](https://github.com/open-telemetry/opentelemetry-js/pull/6460) @starzlocker
-* feat(opentelemetry-core): add extra checks on internal merge function for safety [#x](https://github.com/open-telemetry/opentelemetry-js/pull/x) @maryliag
+* feat(opentelemetry-core): add extra checks on internal merge function for safety [#6587](https://github.com/open-telemetry/opentelemetry-js/pull/6587) @maryliag
 
 ### :boom: Breaking Changes