deeply
Advanced tools
Comparing version 3.0.0 to 3.1.0
@@ -20,5 +20,6 @@ var reduceObject = require('../lib/reduce_object.js'); | ||
| // transfer source values | ||
| reduceObject(to, from, merge); | ||
| // pass context down the line, to allow behavior overrides | ||
| reduceObject.call(this, to, from, merge); | ||
| return to; | ||
| } |
| // list of available flags | ||
| module.exports = | ||
| { | ||
| // allow (original) unsafe behavior of merge all properties, including ones like `__proto__` | ||
| allowDangerousObjectKeys: 'deeply:allowDangerousObjectKeys:' + Math.random(), | ||
| // to prevent (reduce chance of) accidental leaking of the global variables into runtime flags | ||
@@ -5,0 +8,0 @@ useCustomAdapters: 'deeply:useCustomAdapters:' + Math.random(), |
@@ -0,1 +1,3 @@ | ||
| var behaviors = require('../flags.js'); | ||
| // Public API | ||
@@ -16,5 +18,12 @@ module.exports = reduceObject; | ||
| { | ||
| var context = this; | ||
| // clone exposed properties | ||
| Object.keys(source).reduce(function(acc, key) | ||
| { | ||
| if (context.allowDangerousObjectKeys !== behaviors.allowDangerousObjectKeys && isUnsafeKey(key)) | ||
| { | ||
| return acc; | ||
| } | ||
| acc[key] = merge(acc[key], source[key]); | ||
@@ -27,1 +36,12 @@ | ||
| } | ||
| /** | ||
| * Checks if provide key is unsafe to use within object | ||
| * | ||
| * @param {string} key - object key to check against | ||
| * @returns {boolean} - `true` if key is unsafe to use (e.g. __proto__), `false` otherwise | ||
| */ | ||
| function isUnsafeKey(key) { | ||
| return ['__proto__'].indexOf(key) != -1; | ||
| } |
| { | ||
| "name": "deeply", | ||
| "version": "3.0.0", | ||
| "version": "3.1.0", | ||
| "description": "A toolkit for deep structure manipulations, provides deep merge/clone functionality out of the box, and exposes hooks and custom adapters for more control and greater flexibility.", | ||
| "main": "index.js", | ||
| "scripts": { | ||
| "clean": "rimraf coverage", | ||
| "clean": "rimraf .nyc_output coverage", | ||
| "lint": "eslint *.js adapters/*.js test/*.js", | ||
@@ -54,11 +54,17 @@ "test": "nyc --reporter=json tape test/test-*.js | tap-spec", | ||
| }, | ||
| "resolutions": { | ||
| "toc-md/vow-fs": "^0.3.6", | ||
| "toc-md/marked": "^0.3.18" | ||
| }, | ||
| "devDependencies": { | ||
| "browserify": "^16.2.3", | ||
| "browserify-istanbul": "^3.0.1", | ||
| "coveralls": "^3.0.2", | ||
| "coveralls": "^3.0.4", | ||
| "eslint": "^5.9.0", | ||
| "handlebars": "^4.1.2", | ||
| "istanbul": "^0.4.5", | ||
| "js-yaml": "^3.13.1", | ||
| "lodash.partialright": "^4.2.1", | ||
| "moment": "^2.22.2", | ||
| "nyc": "^13.1.0", | ||
| "nyc": "^14.1.1", | ||
| "obake": "^0.1.2", | ||
@@ -65,0 +71,0 @@ "phantomjs-prebuilt": "^2.1.12", |
@@ -7,5 +7,5 @@ # Deeply [](https://www.npmjs.com/package/deeply) | ||
| [](https://travis-ci.org/alexindigo/deeply) | ||
| [](https://travis-ci.org/alexindigo/deeply) | ||
| [](https://travis-ci.org/alexindigo/deeply) | ||
| [](https://ci.appveyor.com/project/alexindigo/deeply) | ||
| [](https://travis-ci.org/alexindigo/deeply) | ||
| [](https://travis-ci.org/alexindigo/deeply) | ||
| [](https://travis-ci.org/alexindigo/deeply) | ||
@@ -18,7 +18,7 @@ [](https://coveralls.io/github/alexindigo/deeply?branch=master) | ||
| | compression | size | | ||
| | :--------------- | ------: | | ||
| | deeply.js | 15.6 kB | | ||
| | deeply.min.js | 5.11 kB | | ||
| | deeply.min.js.gz | 1.53 kB | | ||
| | compression | size | | ||
| | :--------------- | -------: | | ||
| | deeply.js | 16.35 kB | | ||
| | deeply.min.js | 5.36 kB | | ||
| | deeply.min.js.gz | 1.63 kB | | ||
@@ -32,2 +32,3 @@ | ||
| - [Merging](#merging) | ||
| - [Security concerns](#security-concerns) | ||
| - [Cloning](#cloning) | ||
@@ -43,3 +44,4 @@ - [Arrays Custom Merging](#arrays-custom-merging) | ||
| - [Extend Original Function Prototype](#extend-original-function-prototype) | ||
| - [Custom hooks](#custom-hooks) | ||
| - [Custom flags and hooks](#custom-flags-and-hooks) | ||
| - [`allowDangerousObjectKeys`](#allowdangerousobjectkeys) | ||
| - [`useCustomAdapters`](#usecustomadapters) | ||
@@ -78,2 +80,18 @@ - [`useCustomTypeOf`](#usecustomtypeof) | ||
| #### Security concerns | ||
| Due to Prototype Pollution security vulnerability concerns, default behavior of when merging objects is to skip unsafe keys, like `__proto__`, please refer to the [test/compatability.js](test/compatability.js) file for code examples. | ||
| If there is a use case where such behavior is desired, pass `allowDangerousObjectKeys` flag to the context to skip keys safety checks. | ||
| ```javascript | ||
| var merge = require('deeply'); | ||
| var result; | ||
| var context = { allowDangerousObjectKeys: merge.behaviors.allowDangerousObjectKeys }; | ||
| result = merge.call(context, {}, JSON.parse('{"__proto__": {"a0": true}}')); | ||
| // end of the world, cats live with dogs... | ||
| ``` | ||
| ### Cloning | ||
@@ -368,4 +386,13 @@ | ||
| ### Custom hooks | ||
| ### Custom flags and hooks | ||
| #### `allowDangerousObjectKeys` | ||
| As shown in (Security Concerns)[#security-concerns] section, | ||
| you can skip safety checks for unsafe object keys (e.g. `__proto__`) by passing `allowDangerousObjectKeys` flag to the context. | ||
| ```js | ||
| merge.call({ allowDangerousObjectKeys: merge.behaviors.allowDangerousObjectKeys }, {}, JSON.parse('{"__proto__": {"a0": true}}')); | ||
| ``` | ||
| #### `useCustomAdapters` | ||
@@ -372,0 +399,0 @@ |
No alert changes
Improved metrics
- Lines of code
- increased by4.42%
425
- Number of lines in readme file
- increased by5.53%
515
Worsened metrics
- Total package byte prevSize
- decreased by-87.32%
30056
- Dev dependency count
- increased by11.76%
19
- Number of package files
- decreased by-5%
19
No dependency changes