TL;DR Cursor and Claude Code default to for...in object merge -- a CWE-1321 prototype pollution vector Root cause: AI training data skews toward pre-2019 StackOverflow answers that predate Object.hasOwn() One-line fix closes it entirely -- AI just never adds it unless you ask Last week I was reviewing a side project a friend asked me to look over. Node backend, built almost entirely in Cursor