The object access can be exploited to execute JS code

[spider853]

The library is nice but is dangerous to load arbitrary expressions as they can execute arbitrary code like this: const fn = subscript("Math.constructor.constructor('alert(1)')()"); fn({ Math })

suggestion: disable access to these keys: "proto", "constructor", "prototype" or use Object.hasOwn as a filter