Fix safe handling of constructor null values (#142)

* Fix safe handling of constructor null values

Add defensive null checking in scan function to prevent potential TypeError
when constructor property is set to null. This addresses issue #141 where
accessing constructor.prototype could fail if constructor is null.

Changes:
- Enhanced scan function with safe constructor value checking
- Added test case for constructor null handling
- Maintains existing security behavior and test coverage

Fixes #141

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Matteo Collina <[email protected]>

* Fix linting issues and update CLAUDE.md

- Remove trailing spaces in test file to satisfy neostandard linting
- Update CLAUDE.md with current project structure and tooling:
  * Changed from standard to neostandard with ESLint 9
  * Updated test commands and structure (test/ directory)
  * Added TypeScript support information
  * Enhanced security details about constructor.prototype handling

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Matteo Collina <[email protected]>

* Remove CLAUDE.md from tracking and update .gitignore

- Remove CLAUDE.md from git tracking while keeping local copy
- Add CLAUDE.md and .claude directory to .gitignore

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Matteo Collina <[email protected]>

---------

Signed-off-by: Matteo Collina <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: mcollina

.gitignore

@@ -153,3 +153,9 @@ yarn.lock
 
 **/._*
 **/*.pem
+
+# CLAUDE.md
+CLAUDE.md
+
+# Claude Code directory
+.claude

index.js

@@ -76,6 +76,8 @@ function filter (obj, { protoAction = 'error', constructorAction = 'error', safe
 
       if (constructorAction !== 'ignore' &&
           Object.prototype.hasOwnProperty.call(node, 'constructor') &&
+          node.constructor !== null &&
+          typeof node.constructor === 'object' &&
           Object.prototype.hasOwnProperty.call(node.constructor, 'prototype')) { // Avoid calling node.hasOwnProperty directly
         if (safe === true) {
           return null

test/index.test.js

@@ -257,6 +257,27 @@ test('parse', t => {
       t.end()
     })
 
+    t.test('handles constructor null safely', t => {
+      // Test that constructor: null doesn't trigger prototype pollution checks
+      t.deepEqual(
+        j.parse('{"constructor": null}', { constructorAction: 'remove' }),
+        { constructor: null }
+      )
+
+      // Test that constructor: null doesn't throw error when using error action
+      t.deepEqual(
+        j.parse('{"constructor": null}', { constructorAction: 'error' }),
+        { constructor: null }
+      )
+
+      // Test that constructor: null is preserved when using ignore action
+      t.deepEqual(
+        j.parse('{"constructor": null}', { constructorAction: 'ignore' }),
+        { constructor: null }
+      )
+      t.end()
+    })
+
     t.end()
   })