@poppinss/utils - npm Package Compare versions

Comparing version 2.2.8 to 2.3.0

build/src/esmRequire.d.ts

 /**
- * @module @poppinss/utils
- */
-/**
  * Handles ESM `default` exports and common js vanilla exports. The `default`
@@ -6,0 +3,0 @@ * exports are only entertained, when `esmEnabled` is set to true.

build/src/esmRequire.js

 "use strict";
-/**
- * @module @poppinss/utils
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.esmRequire = void 0;
 /*
@@ -15,2 +10,4 @@ * @poppinss/utils
  */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.esmRequire = void 0;
 const esmResolver_1 = require("./esmResolver");
@@ -17,0 +14,0 @@ /**

build/src/esmResolver.d.ts

@@ -1,4 +0,1 @@
-/**
- * @module @poppinss/utils
- */
 export declare function esmResolver(output: any): any;

build/src/esmResolver.js

 "use strict";
-/**
- * @module @poppinss/utils
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.esmResolver = void 0;
 /*
@@ -15,2 +10,4 @@ * @poppinss/utils
  */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.esmResolver = void 0;
 function esmResolver(output) {
@@ -17,0 +14,0 @@ return output && output.__esModule && output.default ? output.default : output;

build/src/Exception.d.ts

 /**
- * @module @poppinss/utils
- */
-/**
  * Extended Error object with the option to set error `status` and `code`.
@@ -16,3 +13,3 @@ * At AdonisJs, we prefer exceptions with proper error codes to handle
     message: string;
-    description?: string;
+    help?: string;
     code?: string;
@@ -19,0 +16,0 @@ status: number;

build/src/Exception.js

 "use strict";
-/**
- * @module @poppinss/utils
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.Exception = void 0;
 /*
@@ -15,2 +10,4 @@ * @poppinss/utils
  */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Exception = void 0;
 /**
@@ -17,0 +14,0 @@ * Extended Error object with the option to set error `status` and `code`.

build/src/MessageBuilder.js

@@ -16,3 +16,4 @@ "use strict";
 const ms_1 = __importDefault(require("ms"));
-const destr_1 = __importDefault(require("destr"));
+const safeParse_1 = require("./safeParse");
+const safeStringify_1 = require("./safeStringify");
 /**
@@ -62,3 +63,3 @@ * Message builder exposes an API to JSON.stringify values by encoding purpose
         const expiryDate = this.getExpiryDate(expiresIn);
-        return JSON.stringify({ message, purpose, expiryDate });
+        return safeStringify_1.safeStringify({ message, purpose, expiryDate });
     }
@@ -69,26 +70,31 @@ /**
     verify(message, purpose) {
-        try {
-            const parsed = destr_1.default(message);
-            if (!parsed.message) {
-                return null;
-            }
-            /**
-             * Ensure purposes are same
-             */
-            if (parsed.purpose !== purpose) {
-                return null;
-            }
-            /**
-             * Ensure isn't expired
-             */
-            if (this.isExpired(parsed)) {
-                return null;
-            }
-            return parsed.message;
+        const parsed = safeParse_1.safeParse(message);
+        /**
+         * Safe parse returns the value as it is when unable to JSON.parse it. However, in
+         * our case if value was correctly parsed, it should never match the input
+         */
+        if (parsed === message) {
+            return null;
         }
-        catch (error) {
+        /**
+         * Missing ".message" property
+         */
+        if (!parsed.message) {
             return null;
         }
+        /**
+         * Ensure purposes are same.
+         */
+        if (parsed.purpose !== purpose) {
+            return null;
+        }
+        /**
+         * Ensure isn't expired
+         */
+        if (this.isExpired(parsed)) {
+            return null;
+        }
+        return parsed.message;
     }
 }
 exports.MessageBuilder = MessageBuilder;

build/src/safeEqual.js

@@ -40,3 +40,4 @@ "use strict";
          */
-        return crypto_1.timingSafeEqual(valueBuffer, comparisonValueBuffer) && expectedLength === Buffer.byteLength(comparisonValue);
+        return (crypto_1.timingSafeEqual(valueBuffer, comparisonValueBuffer) &&
+            expectedLength === Buffer.byteLength(comparisonValue));
     }
@@ -43,0 +44,0 @@ return crypto_1.timingSafeEqual(Buffer.from(value), Buffer.from(comparisonValue));

LICENSE.md

 # The MIT License
 
-Copyright 2019 Harminder virk, contributors
+Copyright 2020 Harminder virk, contributors
 
@@ -5,0 +5,0 @@ Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

package.json

 {
 	"name": "@poppinss/utils",
-	"version": "2.2.8",
+	"version": "2.3.0",
 	"description": "Handy utilities for repetitive work",
@@ -15,3 +15,2 @@ "main": "build/index.js",
 		"test": "node japaFile.js",
-		"lint": "eslint . --ext=.ts",
 		"clean": "del build",
@@ -24,3 +23,6 @@ "compile": "npm run lint && npm run clean && tsc",
 		"version": "npm run build",
-		"format": "prettier --write ."
+		"format": "prettier --write .",
+		"prepublishOnly": "npm run build",
+		"lint": "eslint . --ext=.ts",
+		"sync-labels": "github-label-sync --labels ./node_modules/@adonisjs/mrm-preset/gh-labels.json poppinss/utils"
 	},
@@ -33,6 +35,6 @@ "keywords": [
 	"devDependencies": {
-		"@adonisjs/mrm-preset": "^2.3.6",
-		"@poppinss/dev-utils": "^1.0.6",
+		"@adonisjs/mrm-preset": "^2.4.0",
+		"@poppinss/dev-utils": "^1.0.7",
 		"@types/ms": "^0.7.31",
-		"@types/node": "^14.0.14",
+		"@types/node": "^14.0.23",
 		"commitizen": "^4.1.2",
@@ -42,6 +44,7 @@ "cz-conventional-changelog": "^3.2.0",
 		"doctoc": "^1.4.0",
-		"eslint": "^7.3.1",
+		"eslint": "^7.4.0",
 		"eslint-config-prettier": "^6.11.0",
 		"eslint-plugin-adonis": "^1.0.14",
 		"eslint-plugin-prettier": "^3.1.4",
+		"github-label-sync": "^2.0.0",
 		"husky": "^4.2.5",
@@ -51,7 +54,7 @@ "japa": "^3.1.1",
 		"mrm": "^2.3.3",
-		"np": "^6.2.5",
+		"np": "^6.3.2",
 		"npm-audit-html": "^1.4.1",
 		"prettier": "^2.0.5",
 		"ts-node": "^8.10.2",
-		"typescript": "^3.9.6"
+		"typescript": "^3.9.7"
 	},
@@ -84,2 +87,3 @@ "nyc": {
 		"destr": "^1.0.0",
+		"fast-safe-stringify": "^2.0.7",
 		"fs-readdir-recursive": "^1.1.0",
@@ -86,0 +90,0 @@ "ms": "^2.1.2",

README.md

 # Utils
 > Collection of reusable scripts used by AdonisJS core team
 
-[![circleci-image]][circleci-url] [![typescript-image]][typescript-url] [![npm-image]][npm-url] [![license-image]][license-url]
+[![circleci-image]][circleci-url] [![typescript-image]][typescript-url] [![npm-image]][npm-url] [![license-image]][license-url] [![audit-report-image]][audit-report-url]
 
@@ -28,4 +28,5 @@ This module exports a collection of re-usable utilties to avoid re-writing the same code in every other package. We also include a handful of Lodash utilities, which are used across the AdonisJS packages eco-system.
 - [Safe equal](#safe-equal)
+- [Safe stringify](#safe-stringify)
+- [Safe parse](#safe-parse)
 - [Message Builder](#message-builder)
-- [Audit report](#audit-report)
 
@@ -232,2 +233,33 @@ <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
+## Safe stringify
+Similar to `JSON.stringify`, but also handles Circular references by removing them.
+
+```ts
+import { safeStringify } from '@poppinss/utils'
+
+const o = { b: 1, a: 0 }
+o.o = o
+
+console.log(safeStringify(o))
+// { "b":1,"a":0 }
+
+console.log(JSON.stringify(o))
+// TypeError: Converting circular structure to JSON
+```
+
+## Safe parse
+Similar to `JSON.parse`, but protects against [Prototype Poisoning](https://medium.com/intrinsic/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96)
+
+```ts
+import { safeParse } from '@poppinss/utils'
+
+const input = '{ "user": { "__proto__": { "isAdmin": true } } }'
+
+JSON.parse(input)
+// { user: { __proto__: { isAdmin: true } } }
+
+safeParse(input)
+// { user: {} }
+```
+
 ## Message Builder
@@ -259,5 +291,2 @@ Message builder provides a sane API for stringifying objects similar to `JSON.stringify` but has a few advantages.
 
-## Audit report
-[Click here](https://htmlpreview.github.io/?https://github.com/poppinss/utils/blob/develop/npm-audit.html) to see the latest npm audit report.
-
 [circleci-image]: https://img.shields.io/circleci/project/github/poppinss/utils/master.svg?style=for-the-badge&logo=circleci
@@ -274,1 +303,4 @@ [circleci-url]: https://circleci.com/gh/poppinss/utils "circleci"
 [license-url]: LICENSE.md "license"
+
+[audit-report-image]: https://img.shields.io/badge/-Audit%20Report-blueviolet?style=for-the-badge
+[audit-report-url]: https://htmlpreview.github.io/?https://github.com/poppinss/utils/blob/develop/npm-audit.html "audit-report"

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

63617

increased by4.6%

Number of package files

34

increased by13.33%

Lines of code

880

increased by5.64%

Number of lines in readme file

303

increased by11.81%

Worsened metrics

Dependency count

7

increased by16.67%

Dev dependency count

22

increased by4.76%

Dependency changes

• + Addedfast-safe-stringify@^2.0.7

• + Addedfast-safe-stringify@2.1.1(transitive)