--- services/web/node_modules/mongoose/lib/document.js
+++ services/web/node_modules/mongoose/lib/document.js
@@ -739,6 +739,10 @@ function init(self, obj, doc, opts, prefix) {

   function _init(index) {
     i = keys[index];
+    // avoid prototype pollution
+    if (i === '__proto__' || i === 'constructor') {
+      return;
+    }
     path = prefix + i;
     schemaType = docSchema.path(path);