fix(server): guard collection lookup against prototype keys

[itsmelouis]

🔗 Linked issue

No related issue.

📚 Description

src/runtime/server/api.ts looks the collection up via collections[collectionName], which also resolves inherited keys from Object.prototype (__proto__, toString, constructor, ...). The resolved value gets passed down to getIcons(),
which is not designed to handle it and crashes --> 500.

The fix is one line: gate the lookup with Object.hasOwn(collections, collectionName) so only own keys are considered. Unknown / prototype keys now fall through to the API fallback (or 404 if fallbackToApi is disabled), same as any other unknown collection.

Repro in the playground:

pnpm dev
curl -i 'http://localhost:3000/api/_nuxt_icon/toString.json?icons=bad'

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e32de37d-d8a9-4d13-9d71-b8b092ecb51f

📥 Commits

Reviewing files that changed from the base of the PR and between 3b25a8d and be2f861.

📒 Files selected for processing (1)

• src/runtime/server/api.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/runtime/server/api.ts

---

📝 Walkthrough

Walkthrough

The server icon API adds an explicit existence check before accessing the bundled collections map. Instead of relying solely on optional chaining to handle potentially missing collections, the code now verifies the collection exists using Object.hasOwn(collections, collectionName) before attempting to load it. This ensures non-existent collections consistently resolve to null rather than undefined.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: guarding collection lookup against prototype keys, which matches the core fix in the changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining the problem (prototype key resolution causing crashes) and the solution (Object.hasOwn guard).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

src/runtime/server/api.ts (1)

31-31: 💤 Low value

Optional: Remove redundant optional chaining.

Since Object.hasOwn(collections, collectionName) guarantees the property exists, the optional chaining ?.() on line 31 is technically redundant. You could simplify to collections[collectionName]() for clarity. However, keeping the defensive optional chaining is perfectly acceptable.

♻️ Optional simplification

 const collection = collectionName && Object.hasOwn(collections, collectionName)
-  ? await collections[collectionName]?.()
+  ? await collections[collectionName]()
   : null

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/runtime/server/api.ts` at line 31, The call uses redundant optional
chaining: after confirming Object.hasOwn(collections, collectionName), replace
the defensive call expression collections[collectionName]?.() with a direct call
collections[collectionName]() to simplify the code; locate the expression using
the symbols collections and collectionName and update that invocation
accordingly (you may keep the optional chaining only if you prefer the extra
defensive style).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/runtime/server/api.ts`:
- Line 31: The call uses redundant optional chaining: after confirming
Object.hasOwn(collections, collectionName), replace the defensive call
expression collections[collectionName]?.() with a direct call
collections[collectionName]() to simplify the code; locate the expression using
the symbols collections and collectionName and update that invocation
accordingly (you may keep the optional chaining only if you prefer the extra
defensive style).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 17722e55-2ecb-488e-9131-4def31b92bc6

📥 Commits

Reviewing files that changed from the base of the PR and between 7cafddc and 3b25a8d.

📒 Files selected for processing (1)

• src/runtime/server/api.ts

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxt/icon@488

commit: be2f861

[atinux]

Thank you @itsmelouis 💚