Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
@hapi/bourne
Advanced tools
@hapi/bourne - npm Package Compare versions
Comparing version 1.3.2 to 2.0.0
@@ -9,18 +9,10 @@ 'use strict'; | ||
| exports.parse = function (text, reviver, options) { | ||
| exports.parse = function (text, ...args) { | ||
| // Normalize arguments | ||
| if (!options) { | ||
| if (reviver && | ||
| typeof reviver === 'object') { | ||
| const firstOptions = typeof args[0] === 'object' && args[0]; | ||
| const reviver = args.length > 1 || !firstOptions ? args[0] : undefined; | ||
| const options = (args.length > 1 && args[1]) || firstOptions || {}; | ||
| options = reviver; | ||
| reviver = undefined; | ||
| } | ||
| else { | ||
| options = {}; | ||
| } | ||
| } | ||
| // Parse normally, allowing exceptions | ||
@@ -58,6 +50,4 @@ | ||
| exports.scan = function (obj, options) { | ||
| exports.scan = function (obj, options = {}) { | ||
| options = options || {}; | ||
| let next = [obj]; | ||
@@ -64,0 +54,0 @@ |
@@ -1,2 +0,2 @@ | ||
| Copyright (c) 2019, Sideway Inc, and project contributors | ||
| Copyright (c) 2019-2020, Sideway Inc, and project contributors | ||
| All rights reserved. | ||
@@ -3,0 +3,0 @@ |
| { | ||
| "name": "@hapi/bourne", | ||
| "description": "JSON parse with prototype poisoning protection", | ||
| "version": "1.3.2", | ||
| "version": "2.0.0", | ||
| "repository": "git://github.com/hapijs/bourne", | ||
| "main": "lib/index.js", | ||
| "files": [ | ||
| "lib" | ||
| ], | ||
| "keywords": [ | ||
@@ -15,5 +18,5 @@ "JSON", | ||
| "devDependencies": { | ||
| "@hapi/code": "5.x.x", | ||
| "@hapi/lab": "18.x.x", | ||
| "benchmark": "^2.1.4" | ||
| "@hapi/code": "8.x.x", | ||
| "@hapi/lab": "22.x.x", | ||
| "benchmark": "2.x.x" | ||
| }, | ||
@@ -20,0 +23,0 @@ "scripts": { |
@@ -1,54 +0,17 @@ | ||
| <a href="http://hapijs.com"><img src="https://raw.githubusercontent.com/hapijs/assets/master/images/family.png" width="180px" align="right" /></a> | ||
| <a href="https://hapi.dev"><img src="https://raw.githubusercontent.com/hapijs/assets/master/images/family.png" width="180px" align="right" /></a> | ||
| # Bourne. JSON Bourne. | ||
| # @hapi/bourne | ||
| `JSON.parse()` drop-in replacement with prototype poisoning protection | ||
| #### JSON.parse() drop-in replacement with prototype poisoning protection. | ||
| [](https://travis-ci.org/hapijs/bourne) | ||
| **bourne** is part of the **hapi** ecosystem and was designed to work seamlessly with the [hapi web framework](https://hapi.dev) and its other components (but works great on its own or with other frameworks). If you are using a different web framework and find this module useful, check out [hapi](https://hapi.dev) – they work even better together. | ||
| ## Introduction | ||
| ### Visit the [hapi.dev](https://hapi.dev) Developer Portal for tutorials, documentation, and support | ||
| Consider this: | ||
| ## Useful resources | ||
| ``` | ||
| > const a = '{"__proto__":{ "b":5}}'; | ||
| '{"__proto__":{ "b":5}}' | ||
| > const b = JSON.parse(a); | ||
| { __proto__: { b: 5 } } | ||
| > b.b; | ||
| undefined | ||
| > const c = Object.assign({}, b); | ||
| {} | ||
| > c.b | ||
| 5 | ||
| ``` | ||
| The problem is that `JSON.parse()` retains the `__proto__` property as a plain object key. By | ||
| itself, this is not a security issue. However, as soon as that object is assigned to another or | ||
| iterated on and values copied, the `__proto__` property leaks and becomes the object's prototype. | ||
| ## API | ||
| ### `Bourne.parse(text, [reviver], [options])` | ||
| Parses a given JSON-formatted text into an object where: | ||
| - `text` - the JSON text string. | ||
| - `reviver` - the `JSON.parse()` optional `reviver` argument. | ||
| - `options` - optional configuration object where: | ||
| - `protoAction` - optional string with one of: | ||
| - `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value. | ||
| - `'remove'` - deletes any `__proto__` keys from the result object. | ||
| - `'ignore'` - skips all validation (same as calling `JSON.parse()` directly). | ||
| ### `Bourne.scan(obj, [options])` | ||
| Scans a given object for prototype properties where: | ||
| - `obj` - the object being scanned. | ||
| - `options` - optional configuration object where: | ||
| - `protoAction` - optional string with one of: | ||
| - `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value. | ||
| - `'remove'` - deletes any `__proto__` keys from the input `obj`. | ||
| - [Documentation and API](https://hapi.dev/family/bourne/) | ||
| - [Version status](https://hapi.dev/resources/status/#bourne) (builds, dependencies, node versions, licenses, eol) | ||
| - [Changelog](https://hapi.dev/family/bourne/changelog/) | ||
| - [Project policies](https://hapi.dev/policies/) | ||
| - [Free and commercial support options](https://hapi.dev/support/) |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Deprecated
MaintenanceThe maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.
Found 1 instance in 1 package
Improved metrics
- Number of medium maintenance alerts
- decreased by-100%
0
Worsened metrics
- Total package byte prevSize
- decreased by-15%
5101
- Number of package files
- decreased by-20%
4
- Lines of code
- decreased by-12.12%
58
- Number of lines in readme file
- decreased by-67.27%
18
No dependency changes