fix: codescanning alerts (#2044)

chgeo · github-advanced-security[bot] · web-flow · commit 59c1a1f4018e · 2025-08-20T18:48:02.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/PR-SAP.yml b/.github/workflows/PR-SAP.yml
@@ -9,6 +9,9 @@ concurrency:
   group: pr-sap-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-sap:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml
@@ -8,6 +8,9 @@ concurrency:
   group: pr-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/tools/cds-lint/components/PlaygroundBadge.vue b/tools/cds-lint/components/PlaygroundBadge.vue
@@ -33,21 +33,12 @@ export default [
 
 const defaultPackageJson = JSON.parse(data['package.json']);
 
-function mergeJSONs(target: any, add: any) {
-    const isObject = (obj: unknown) => typeof obj === 'object';
-    Object.entries(add).forEach(([key, addVal]) => {
-        const targetVal = target[key];
-        if (targetVal && isObject(targetVal) && isObject(addVal)) {
-            if ((Array.isArray(targetVal) && Array.isArray(addVal))) {
-                targetVal.push(...addVal);
-                return;
-            }
-            mergeJSONs(targetVal, addVal);
-        } else {
-            target[key] = addVal;
-        }
-    });
-    return target;
+const is_object = x => typeof x === 'object' && x !== null && !Array.isArray(x)
+function merge (o:any,...xs:any) {
+  let v:any; for (let x of xs) for (let k in x)
+    if (k === '__proto__' || k === 'constructor') continue //> avoid prototype pollution
+    else o[k] = is_object(v=x[k]) ? merge(o[k]??={},v) : v
+  return o
 }
 
 function link(name: Props['name'] = "", kind: Props['kind'], rules?: Props['rules'], files?: Props['files'], packages?: Props['packages'] ): string {
@@ -66,7 +57,7 @@ function link(name: Props['name'] = "", kind: Props['kind'], rules?: Props['rule
     sources[configFileName] = defaultConfig;
   }
   if (packages) {
-    json = mergeJSONs(defaultPackageJson, packages);
+    json = merge(defaultPackageJson, packages);
   } else {
     json = defaultPackageJson;
   }
