@poppinss/cookie - npm Package Compare versions

Comparing version 1.0.7 to 1.0.8

build/src/Cookie.js

@@ -15,2 +15,3 @@ "use strict";
 const ms_1 = __importDefault(require("ms"));
+const bourne_1 = __importDefault(require("@hapi/bourne"));
 const cookie_signature_1 = __importDefault(require("cookie-signature"));
@@ -80,4 +81,6 @@ const cookie_1 = __importDefault(require("cookie"));
     /**
-     * Parse JSON cookies using `JSON.parse`. The cookie builder
-     * prepends `j:` to non string values.
+     * Parse JSON cookies using `bourne.parse`. The cookie builder
+     * prepends `j:` to non string values. We use bourne instead of native
+     * JSON.parse to avoid prototype poising. Read this
+     * https://medium.com/intrinsic/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96
      */
@@ -87,3 +90,3 @@ if (parsedValue.substr(0, 2) === 'j:') {
             return {
-                value: JSON.parse(parsedValue.slice(2)),
+                value: bourne_1.default.parse(parsedValue.slice(2), { protoAction: 'remove' }),
                 signed,
@@ -151,3 +154,2 @@ };
 function serialize(key, value, secretKey, options) {
-    var _a, _b;
     const packedValue = pack(value, secretKey);
@@ -160,3 +162,3 @@ if (packedValue === null) {
      */
-    let expires = (_a = options) === null || _a === void 0 ? void 0 : _a.expires;
+    let expires = options === null || options === void 0 ? void 0 : options.expires;
     if (typeof (expires) === 'function') {
@@ -168,3 +170,3 @@ expires = expires();
      */
-    let maxAge = (_b = options) === null || _b === void 0 ? void 0 : _b.maxAge;
+    let maxAge = options === null || options === void 0 ? void 0 : options.maxAge;
     if (typeof (maxAge) === 'string') {
@@ -171,0 +173,0 @@ maxAge = ms_1.default(maxAge) / 1000;

package.json

 {
   "name": "@poppinss/cookie",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "Cookie parser for Node.js",
@@ -33,3 +33,3 @@ "main": "build/index.js",
     "@types/cookie-signature": "^1.0.3",
-    "@types/node": "^13.7.0",
+    "@types/node": "^13.7.6",
     "commitizen": "^4.0.3",
@@ -40,4 +40,4 @@ "cz-conventional-changelog": "^3.1.0",
     "eslint": "^6.8.0",
-    "eslint-plugin-adonis": "^1.0.6",
-    "husky": "^4.2.1",
+    "eslint-plugin-adonis": "^1.0.8",
+    "husky": "^4.2.3",
     "japa": "^3.0.1",
@@ -47,6 +47,6 @@ "mrm": "^2.0.4",
     "ts-node": "^8.6.2",
-    "typedoc": "^0.16.9",
+    "typedoc": "^0.16.10",
     "typedoc-plugin-external-module-name": "^3.0.0",
-    "typedoc-plugin-markdown": "^2.2.16",
-    "typescript": "^3.7.5"
+    "typedoc-plugin-markdown": "^2.2.17",
+    "typescript": "^3.8.2"
   },
@@ -78,2 +78,3 @@ "nyc": {
   "dependencies": {
+    "@hapi/bourne": "^2.0.0",
     "cookie": "^0.4.0",
@@ -80,0 +81,0 @@ "cookie-signature": "^1.1.0",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

14669

increased by2.2%

Lines of code

265

increased by0.76%

Worsened metrics

Dependency count

4

increased by33.33%

Dependency changes

• + Added@hapi/bourne@^2.0.0

• + Added@hapi/bourne@2.1.0(transitive)