Potential fix for code scanning alert no. 37: Prototype-polluting function

[Tanker187]

Potential fix for https://github.com/Tanker187/vite/security/code-scanning/37

In general, to prevent prototype pollution in deep merge/clone helpers, avoid writing or recursing into special keys that can change object prototypes (__proto__, constructor, and prototype), or restrict recursive merging to existing own properties on the destination. This ensures that user-controlled data cannot modify Object.prototype or other prototypes via crafted keys.

For this code, the least invasive and most compatible fix is to introduce a small helper that detects unsafe keys and then skip such keys in both deepClone and mergeWithDefaultsRecursively. Concretely:

• Define a function, e.g. isUnsafeKey(key: string): boolean, that returns true for __proto__, constructor, and prototype.
• In deepClone, before processing each key from value, check if (isUnsafeKey(key)) continue; so these problematic properties are never cloned into new objects.
• In mergeWithDefaultsRecursively, before reading values[key] or assigning to merged[key], add if (isUnsafeKey(key)) continue; to completely ignore such keys during merging.
• Place the helper near these utilities in packages/vite/src/node/utils.ts. No new imports are needed.

This preserves existing functionality for all normal keys, while dropping only the dangerous ones from user-controlled input, which is standard practice for mitigating prototype pollution.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.