bourne - npm Package Compare versions
Comparing version
| { | ||
| "name": "bourne", | ||
| "description": "A simple serverless database stored in a JSON file.", | ||
| "version": "0.4.0", | ||
| "homepage": "https://github.com/andreww8088/bourne", | ||
| "author": { | ||
| "name": "Andrew Burgess", | ||
| "email": "andrew@burgess.io", | ||
| "url": "http://andrewburgess.ca" | ||
| "description": "JSON parse with prototype poisoning protection", | ||
| "version": "1.0.0", | ||
| "repository": "git://github.com/hapijs/bourne", | ||
| "main": "lib/index.js", | ||
| "keywords": [ | ||
| "JSON", | ||
| "parse", | ||
| "safe", | ||
| "prototype" | ||
| ], | ||
| "dependencies": { | ||
| }, | ||
| "repository": { | ||
| "type": "git", | ||
| "url": "git://github.com/andreww8088/bourne.git" | ||
| "devDependencies": { | ||
| "code": "5.x.x", | ||
| "lab": "18.x.x" | ||
| }, | ||
| "bugs": { | ||
| "url": "https://github.com/andreww8088/bourne/issues" | ||
| }, | ||
| "licenses": [ | ||
| { | ||
| "type": "MIT", | ||
| "url": "https://github.com/andreww8088/bourne/blob/master/LICENSE-MIT" | ||
| } | ||
| ], | ||
| "main": "lib/bourne", | ||
| "engines": { | ||
| "node": ">= 0.8.0" | ||
| }, | ||
| "scripts": { | ||
| "test": "grunt nodeunit" | ||
| "test": "lab -a code -t 100 -L", | ||
| "test-cov-html": "lab -a code -r html -o coverage.html" | ||
| }, | ||
| "devDependencies": { | ||
| "grunt-contrib-jshint": "~0.6.4", | ||
| "grunt-contrib-nodeunit": "~0.2.0", | ||
| "grunt-contrib-watch": "~0.5.3", | ||
| "grunt": "~0.4.2" | ||
| }, | ||
| "keywords": [] | ||
| "license": "BSD-3-Clause" | ||
| } |
@@ -1,27 +0,41 @@ | ||
| # bourne | ||
| # Bourne. JSON Bourne. | ||
| A simple serverless database stored in a JSON file. | ||
| `JSON.parse()` drop-in replacement with prototype poisoning protection | ||
| ## Getting Started | ||
| Install the module with: `npm install bourne` | ||
| ## Introduction | ||
| ```javascript | ||
| var bourne = require('bourne'); | ||
| bourne.awesome(); // "awesome" | ||
| Consider this: | ||
| ``` | ||
| > const a = '{"__proto__":{ "b":5}}'; | ||
| '{"__proto__":{ "b":5}}' | ||
| ## Documentation | ||
| _(Coming soon)_ | ||
| > const b = JSON.parse(a); | ||
| { __proto__: { b: 5 } } | ||
| ## Examples | ||
| _(Coming soon)_ | ||
| > b.b; | ||
| undefined | ||
| ## Contributing | ||
| In lieu of a formal styleguide, take care to maintain the existing coding style. Add unit tests for any new or changed functionality. Lint and test your code using [Grunt](http://gruntjs.com/). | ||
| > const c = Object.assign({}, b); | ||
| {} | ||
| ## Release History | ||
| _(Nothing yet)_ | ||
| > c.b | ||
| 5 | ||
| ``` | ||
| ## License | ||
| Copyright (c) 2014 Andrew Burgess | ||
| Licensed under the MIT license. | ||
| The problem is that `JSON.parse()` retains the `__proto__` property as a plain object key. By | ||
| itself, this is not a security issue. However, as soon as that object is assigned to another or | ||
| iterated on and values copied, the `__proto__` property leaks and becomes the object's prototype. | ||
| ## API | ||
| ### `Bourne.parse(text, [reviver], [options])` | ||
| Parses a given JSON-formatted text into an object where: | ||
| - `text` - the JSON text string. | ||
| - `reviver` - the `JSON.parse()` optional `reviver` argument. | ||
| - `options` - optional configuration object where: | ||
| - `protoAction` - optional string with one of: | ||
| - `'error'` - throw a `SyntaxError` when a `__proto__` key is found. This is the default value. | ||
| - `'remove'` - deletes any `__proto__` keys from the result object. | ||
| - `'ignore'` - skips all validation (same as calling `JSON.parse()` directly). |
Sorry, the diff of this file is not supported yet
New alerts
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
No contributors or author data
MaintenancePackage does not specify a list of contributors or an author in package.json.
Found 1 instance in 1 package
No bug tracker
MaintenancePackage does not have a linked bug tracker in package.json.
Found 1 instance in 1 package
No repository
Supply chain riskPackage does not have a linked source code repository. Without this field, a package will have no reference to the location of the source code use to generate the package.
Found 1 instance in 1 package
No website
QualityPackage does not have a website.
Found 1 instance in 1 package
Fixed alerts
Uses eval
Supply chain riskPackage uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
Improved metrics
- Dev dependency count
2
-50%- Number of low quality alerts
1
-50%- Number of lines in readme file
42
50%- Number of low supply chain risk alerts
1
-50%Worsened metrics
- Total package byte prevSize
4939
-94.26%- Number of package files
5
-54.55%- Lines of code
48
-97.95%- Number of low maintenance alerts
2
100%- Number of medium supply chain risk alerts
2
100%