[GHSA-mwv9-gp5h-frr4] Add upstream fix commit reference

[massif-01]

Summary

Adds the upstream fix commit reference for GHSA-mwv9-gp5h-frr4.

Evidence

The advisory already references the upstream GitHub security advisory, the package repository, and the patched v5.6.4 release.

The v5.6.4 release notes explicitly list commit 87c1f3c for rejecting __proto__ keys in malformed Object wrapper payloads and for disallowing __proto__ keys in null-prototype object parsing.

The added commit modifies src/parse.js and adds tests covering these __proto__ parsing cases, so it is the primary upstream code reference for the fix.

Validation

• jq . advisories/github-reviewed/2026/03/GHSA-mwv9-gp5h-frr4/GHSA-mwv9-gp5h-frr4.json >/dev/null
• git diff --check

[Copilot]

Pull request overview

Adds an upstream fix commit reference URL to the GHSA-mwv9-gp5h-frr4 advisory JSON file.

Changes:

• Adds a new WEB reference entry pointing to the upstream fix commit 87c1f3c in sveltejs/devalue.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[advisory-database]

Hi @massif-01! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!