chore(deps): update typescript-eslint monorepo to v8.46.3 (#4264)

* chore(deps): update typescript-eslint monorepo to v8.46.3

* Remove dset dependency

* prevent prototype pollution attack

* chore(dependencies): updated changesets for modified dependencies

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Arda TANRIKULU <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: 3 people

.changeset/graphql-yoga-4264-dependencies.md

@@ -0,0 +1,5 @@
+---
+"graphql-yoga": patch
+---
+dependencies updates:
+  - Removed dependency [`dset@^3.1.4` ↗︎](https://www.npmjs.com/package/dset/v/3.1.4) (from `dependencies`)

examples/sveltekit/package.json

@@ -19,8 +19,8 @@
 		"@sveltejs/kit": "2.20.6",
 		"@sveltejs/vite-plugin-svelte": "6.2.1",
 		"@types/jest": "^30.0.0",
-		"@typescript-eslint/eslint-plugin": "8.46.2",
-		"@typescript-eslint/parser": "8.46.2",
+		"@typescript-eslint/eslint-plugin": "8.46.3",
+		"@typescript-eslint/parser": "8.46.3",
 		"@whatwg-node/fetch": "0.10.11",
 		"eslint": "9.39.1",
 		"eslint-config-prettier": "10.1.8",

packages/graphql-yoga/package.json

@@ -59,7 +59,6 @@
     "@whatwg-node/fetch": "^0.10.6",
     "@whatwg-node/promise-helpers": "^1.2.4",
     "@whatwg-node/server": "^0.10.14",
-    "dset": "^3.1.4",
     "lru-cache": "^10.0.0",
     "tslib": "^2.8.1"
   },

packages/graphql-yoga/src/plugins/request-parser/post-multipart.ts

@@ -1,4 +1,3 @@
-import { dset } from 'dset';
 import { createGraphQLError } from '@graphql-tools/utils';
 import { handleMaybePromise, MaybePromise } from '@whatwg-node/promise-helpers';
 import { GraphQLParams } from '../../types.js';
@@ -48,7 +47,7 @@ export function parsePOSTMultipartRequest(request: Request): MaybePromise<GraphQ
           const file = requestBody.get(fileIndex);
           const keys = map[fileIndex]!;
           for (const key of keys) {
-            dset(operations, key, file);
+            setObjectKeyPath(operations, key, file);
           }
         }
       }
@@ -69,3 +68,24 @@ export function parsePOSTMultipartRequest(request: Request): MaybePromise<GraphQ
     },
   );
 }
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+function setObjectKeyPath(object: any, keyPath: string, value: any): void {
+  const keys = keyPath.split('.');
+  let current = object;
+  for (let i = 0; i < keys.length; i++) {
+    const key = keys[i]!;
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+      return;
+    }
+    const isLastKey = i === keys.length - 1;
+    if (isLastKey) {
+      current[key] = value;
+    } else {
+      if (!(key in current)) {
+        current[key] = {};
+      }
+      current = current[key];
+    }
+  }
+}