The object access can be exploited to execute JS code

[spider853]

The library is nice but is dangerous to load arbitrary expressions as they can execute arbitrary code like this: const fn = subscript("Math.constructor.constructor('alert(1)')()"); fn({ Math })

suggestion: disable access to these keys: "proto", "constructor", "prototype" or use Object.hasOwn as a filter

[dy]

True. Unless we make sure we pass objects with null prototype