New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
@percy/config
Advanced tools
@percy/config - npm Package Compare versions
Comparing version 1.30.8-beta.1 to 1.30.8
@@ -1,2 +0,2 @@ | ||
| import { merge } from './utils/index.js'; | ||
| import { merge, sanitizeObject } from './utils/index.js'; | ||
| import { getSchema } from './validate.js'; | ||
@@ -33,3 +33,7 @@ const { | ||
| export function getDefaults(overrides = {}) { | ||
| return merge([getDefaultsFromSchema(), overrides], (path, prev, next) => { | ||
| // We are sanitizing the overrides object to prevent prototype pollution. | ||
| // This ensures protection against attacks where a payload having Object.prototype setters | ||
| // to add or modify properties on the global prototype chain, which could lead to issues like denial of service (DoS) at a minimum. | ||
| const sanitizedOverrides = sanitizeObject(overrides); | ||
| return merge([getDefaultsFromSchema(), sanitizedOverrides], (path, prev, next) => { | ||
| // override default array instead of merging | ||
@@ -36,0 +40,0 @@ return isArray(next) && [path, next]; |
| import merge from './merge.js'; | ||
| import { getSchema } from '../validate.js'; | ||
| const { | ||
| isArray | ||
| } = Array; | ||
@@ -10,2 +13,5 @@ // Edge case camelizations | ||
| // Unsafe keys list | ||
| const UNSAFE_KEYS = ['__proto__', 'constructor', 'prototype', 'toString', 'valueOf', '__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__']; | ||
| // Converts kebab-cased and snake_cased strings to camelCase. | ||
@@ -57,2 +63,22 @@ export function camelcase(str) { | ||
| } | ||
| // Utility function to prevent prototype pollution | ||
| export function isSafeKey(key) { | ||
| return !UNSAFE_KEYS.includes(key); | ||
| } | ||
| export function sanitizeObject(obj) { | ||
| if (!obj || typeof obj !== 'object' || isArray(obj)) { | ||
| return obj; | ||
| } | ||
| if (obj instanceof RegExp) { | ||
| return obj; | ||
| } | ||
| const sanitized = {}; | ||
| for (const key in obj) { | ||
| if (isSafeKey(key)) { | ||
| sanitized[key] = sanitizeObject(obj[key]); | ||
| } | ||
| } | ||
| return sanitized; | ||
| } | ||
| export default normalize; |
| { | ||
| "name": "@percy/config", | ||
| "version": "1.30.8-beta.1", | ||
| "version": "1.30.8", | ||
| "license": "MIT", | ||
@@ -12,3 +12,3 @@ "repository": { | ||
| "access": "public", | ||
| "tag": "beta" | ||
| "tag": "latest" | ||
| }, | ||
@@ -42,3 +42,3 @@ "engines": { | ||
| "dependencies": { | ||
| "@percy/logger": "1.30.8-beta.1", | ||
| "@percy/logger": "1.30.8", | ||
| "ajv": "^8.6.2", | ||
@@ -51,3 +51,3 @@ "cosmiconfig": "^8.0.0", | ||
| }, | ||
| "gitHead": "db04f87e6074b48cc3940ccffbefe59407016cf6" | ||
| "gitHead": "daa3c96d70488a49671e48427c9b363c68876935" | ||
| } |
Fixed alerts
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by2.97%
35926
- Lines of code
- increased by3.53%
821
- Number of low quality alerts
- decreased by-50%
1
Dependency changes
+ Added@percy/logger@1.30.8(transitive)
- Removed@percy/logger@1.30.8-beta.1(transitive)
Updated@percy/logger@1.30.8