fast-json-stringify - npm Package Compare versions

Comparing version 1.14.0 to 1.15.0

index.js

@@ -5,19 +5,4 @@ 'use strict'
 var merge = require('deepmerge')
+var validate = require('./schema-validator')
 
-// This Ajv instance is used to validate that the passed schema
-// is valid json schema. We reuse the instance to avoid having to
-// pay the ajv creation cost more than once.
-var ajv = new Ajv({
-  // Ignore any unknown formats as they aren't used.
-  unknownFormats: 'ignore',
-
-  // Ignoring unknown formats emits warnings, but we don't need to hear about
-  // them.
-  logger: {
-    log: console.log,
-    warn: function () {},
-    error: console.error
-  }
-})
-
 var uglify = null
@@ -38,5 +23,25 @@ var isLong
 
+function isValidSchema (schema, name) {
+  if (!validate(schema)) {
+    if (name) {
+      name = `"${name}" `
+    } else {
+      name = ''
+    }
+    const first = validate.errors[0]
+    const err = new Error(`${name}schema is invalid: data${first.dataPath} ${first.message}`)
+    err.errors = isValidSchema.errors
+    throw err
+  }
+}
+
 function build (schema, options) {
   options = options || {}
-  isValidSchema(schema, options.schema)
+  isValidSchema(schema)
+  if (options.schema) {
+    for (let key of Object.keys(options.schema)) {
+      isValidSchema(options.schema[key], key)
+    }
+  }
+
   /* eslint no-new-func: "off" */
@@ -990,17 +995,2 @@ var code = `
 
-function isValidSchema (schema, externalSchema) {
-  if (externalSchema) {
-    Object.keys(externalSchema).forEach(key => {
-      try {
-        ajv.addSchema(externalSchema[key], key)
-      } catch (err) {
-        err.message = '"' + key + '" ' + err.message
-        throw err
-      }
-    })
-  }
-  ajv.compile(schema)
-  ajv.removeSchema()
-}
-
 function isEmpty (schema) {
@@ -1007,0 +997,0 @@ for (var key in schema) {

package.json

 {
   "name": "fast-json-stringify",
-  "version": "1.14.0",
+  "version": "1.15.0",
   "description": "Stringify your JSON at max speed",
@@ -34,2 +34,3 @@ "main": "index.js",
   "devDependencies": {
+    "ajv-pack": "^0.3.1",
     "benchmark": "^2.1.4",
@@ -49,3 +50,8 @@ "is-my-json-valid": "^2.19.0",
     "deepmerge": "^3.0.0"
+  },
+  "standard": {
+    "ignore": [
+      "schema-validator.js"
+    ]
   }
 }

README.md

@@ -45,2 +45,3 @@ # fast-json-stringify
  - <a href="#nullable">`Nullable`</a>
+- <a href="#caveat">`Caveat`</a>
 - <a href="#acknowledgements">`Acknowledgements`</a>
@@ -100,3 +101,3 @@ - <a href="#license">`License`</a>
 
-And nested ones, too.  
+And nested ones, too.
 
@@ -113,3 +114,3 @@ <a name="specific"></a>
 #### Required
-You can set specific fields of an object as required in your schema by adding the field name inside the `required` array in your schema.  
+You can set specific fields of an object as required in your schema by adding the field name inside the `required` array in your schema.
 Example:
@@ -135,3 +136,3 @@ ```javascript
 #### Missing fields
-If a field *is present* in the schema (and is not required) but it *is not present* in the object to stringify, `fast-json-stringify` will not write it in the final string.  
+If a field *is present* in the schema (and is not required) but it *is not present* in the object to stringify, `fast-json-stringify` will not write it in the final string.
 Example:
@@ -183,5 +184,5 @@ ```javascript
 #### Pattern properties
-`fast-json-stringify` supports pattern properties as defined by JSON schema.  
-*patternProperties* must be an object, where the key is a valid regex and the value is an object, declared in this way: `{ type: 'type' }`.  
-*patternProperties* will work only for the properties that are not explicitly listed in the properties object.  
+`fast-json-stringify` supports pattern properties as defined by JSON schema.
+*patternProperties* must be an object, where the key is a valid regex and the value is an object, declared in this way: `{ type: 'type' }`.
+*patternProperties* will work only for the properties that are not explicitly listed in the properties object.
 Example:
@@ -219,4 +220,4 @@ ```javascript
 #### Additional properties
-`fast-json-stringify` supports additional properties as defined by JSON schema.  
-*additionalProperties* must be an object or a boolean, declared in this way: `{ type: 'type' }`.  
+`fast-json-stringify` supports additional properties as defined by JSON schema.
+*additionalProperties* must be an object or a boolean, declared in this way: `{ type: 'type' }`.
 *additionalProperties* will work only for the properties that are not explicitly listed in the *properties* and *patternProperties* objects.
@@ -226,3 +227,3 @@
 Missing fields are ignored to avoid having to rewrite objects before serializing. However, other schema rules would throw in similar situations.
-If *additionalProperties* is set to `true`, it will be used by `JSON.stringify` to stringify the additional properties. If you want to achieve maximum performance, we strongly encourage you to use a fixed schema where possible.  
+If *additionalProperties* is set to `true`, it will be used by `JSON.stringify` to stringify the additional properties. If you want to achieve maximum performance, we strongly encourage you to use a fixed schema where possible.
 Example:
@@ -337,4 +338,4 @@ ```javascript
 #### Reuse - $ref
-If you want to reuse a definition of a value, you can use the property `$ref`.  
-The value of `$ref` must be a string in [JSON Pointer](https://tools.ietf.org/html/rfc6901) format.  
+If you want to reuse a definition of a value, you can use the property `$ref`.
+The value of `$ref` must be a string in [JSON Pointer](https://tools.ietf.org/html/rfc6901) format.
 Example:
@@ -375,3 +376,3 @@ ```javascript
 ```
-If you need to use an external definition, you can pass it as an option to `fast-json-stringify`.  
+If you need to use an external definition, you can pass it as an option to `fast-json-stringify`.
 Example:
@@ -500,2 +501,12 @@ ```javascript
 
+<a name="caveat"></a>
+## Caveat
+
+In order to achieve lowest cost/highest performance redaction `fast-json-stringify`
+creates and compiles a function (using the `Function` constructor) on initialization.
+While the `schema` is currently validated for any developer errors, it's recommended against
+allowing user input to directly supply a schema.
+It can't be guaranteed that allowing user input for the schema couldn't feasibly expose an attack
+vector.
+
 <a name="acknowledgements"></a>
@@ -502,0 +513,0 @@ ## Acknowledgements

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

252565

increased by85.96%

Number of package files

48

increased by4.35%

Lines of code

6942

increased by33.78%

Number of lines in readme file

511

increased by2.2%

Worsened metrics

Dev dependency count

11

increased by10%

Number of low supply chain risk alerts

1

increased byInfinity%

No dependency changes