httpquery - npm Package Compare versions

Comparing version 0.4.0 to 0.5.0

CHANGES.md

 # CHANGES to httpquery
 
+## 0.5.0
+
+- fix: BREAKING/SECURITY: drop insecure `query-request-jsonpath` approach
+- refactor: BREAKING: rename `query-request-*` (`xpath1` and `css`) to drop
+  `request-`
+- feat: adds `query-jsonata` as new JSON querying option
+
 ## 0.4.0
@@ -4,0 +11,0 @@

Node/index.js

@@ -9,3 +9,3 @@ // Todo: Make this integratable into a pipeline; ensure can use HTML or XML DOM with content-type accordingly
 import xmldom from 'xmldom';
-import * as JSONPath from 'jsonpath-plus';
+import jsonata from 'jsonata';
 
@@ -76,2 +76,13 @@ const ignoreQuerySupport = true;
 
+    const finish = () => {
+      fileContents = forceJSON ? JSON.stringify(queryResult) : queryResult;
+
+      write(res, 200, responseHeaders, fileContents);
+
+      if (next) {
+        // eslint-disable-next-line node/callback-return -- Not that type
+        next();
+      }
+    };
+
     url = (url.slice(-1) === '/' ? url + 'index.html' : url).replace(/\?.*$/u, '');
@@ -84,3 +95,3 @@ // url = require('url').parse(url).pathname; // Need to strip off request parameters?
 
-    if (req.headers['query-client-support'] && !req.headers['query-request-xpath1'] && !req.headers['query-request-css3'] && !req.headers['query-full-request']) {
+    if (req.headers['query-client-support'] && !req.headers['query-xpath1'] && !req.headers['query-css3'] && !req.headers['query-full-request']) {
       responseHeaders['query-server-support'] = 'xpath1 css3';
@@ -115,8 +126,23 @@ write(res, 200, responseHeaders, ''); // Don't waste bandwidth if client supports protocol and hasn't asked us to deliver the full document
     let queryResult;
-    if ((ignoreQuerySupport || clientJSONPathSupport) && req.headers['query-request-jsonpath'] && !req.headers['query-full-request']) {
-      queryResult = JSON.stringify(JSONPath.JSONPath({
-        json: JSON.parse(fileContents.toString('utf8')),
-        path: req.headers['query-request-jsonpath'].trim()
-      }));
-    } else if ((ignoreQuerySupport || clientXPath1Support) && req.headers['query-request-xpath1'] && !req.headers['query-full-request']) {
+    if ((ignoreQuerySupport || clientJSONPathSupport) && req.headers['query-jsonata'] && !req.headers['query-full-request']) {
+      const jsonataExpression = jsonata(
+        req.headers['query-jsonata'].trim()
+      );
+      const bindings = req.headers['query-jsonata-bindings']?.trim();
+      jsonataExpression.evaluate(
+        JSON.parse(fileContents.toString('utf8')),
+        bindings ? JSON.parse(bindings) : {},
+        // eslint-disable-next-line promise/prefer-await-to-callbacks -- jsonata API
+        (error, result) => {
+          if (error) {
+            exitError(res, responseHeaders, error);
+            return;
+          }
+
+          queryResult = JSON.stringify(result);
+          finish();
+        }
+      );
+      return;
+    } else if ((ignoreQuerySupport || clientXPath1Support) && req.headers['query-xpath1'] && !req.headers['query-full-request']) {
       const nodeArrayToSerializedArray = (arr) => {
@@ -128,10 +154,10 @@ return arr.map((node) => {
       const doc = new xmldom.DOMParser().parseFromString(String(fileContents));
-      const xpath1Request = req.headers['query-request-xpath1'] && req.headers['query-request-xpath1'].trim(); // || '//b[position() > 1 and position() < 4]'; // || '//b/text()',
+      const xpath1Request = req.headers['query-xpath1'] && req.headers['query-xpath1'].trim(); // || '//b[position() > 1 and position() < 4]'; // || '//b/text()',
       queryResult = xpath.select(xpath1Request, doc);
       queryResult = forceJSON ? nodeArrayToSerializedArray(queryResult) : wrapFragment(nodeArrayToSerializedArray(queryResult).join(''));
-    } else if ((ignoreQuerySupport || clientCSS3Support) && req.headers['query-request-css3'] && !req.headers['query-full-request']) {
+    } else if ((ignoreQuerySupport || clientCSS3Support) && req.headers['query-css3'] && !req.headers['query-full-request']) {
       // Support our own custom :text() and :attr(...) pseudo-classes (todo: do as (two-colon) pseudo-elements instead)
       const $ = cheerio.load(String(fileContents));
       // eslint-disable-next-line unicorn/no-unsafe-regex -- Todo
-      const css3RequestFull = req.headers['query-request-css3'] && req.headers['query-request-css3'].trim().match(/(.*?)(?::(text|attr)\(([^)]*)\))?$/u); // Allow explicit "html" (toString) or "toArray" (or "json")?
+      const css3RequestFull = req.headers['query-css3'] && req.headers['query-css3'].trim().match(/(.*?)(?::(text|attr)\(([^)]*)\))?$/u); // Allow explicit "html" (toString) or "toArray" (or "json")?
       const css3Request = css3RequestFull[1];
@@ -171,10 +197,3 @@ const type = css3RequestFull[2] || (forceJSON ? 'toArray' : 'toString');
 
-    fileContents = forceJSON ? JSON.stringify(queryResult) : queryResult;
-
-    write(res, 200, responseHeaders, fileContents);
-
-    if (next) {
-      // eslint-disable-next-line node/callback-return -- Not that type
-      next();
-    }
+    finish();
   };
@@ -181,0 +200,0 @@ }

package.json

 {
   "name": "httpquery",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "author": "Brett Zamir",
@@ -41,3 +41,3 @@ "contributors": [],
     "command-line-basics": "^1.0.2",
-    "jsonpath-plus": "^6.0.1",
+    "jsonata": "^1.8.6",
     "xmldom": "^0.6.0",
@@ -44,0 +44,0 @@ "xpath": "^0.0.32"

Fixed alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

60909

increased by1.06%

Lines of code

271

increased by6.69%

Number of medium supply chain risk alerts

1

decreased by-50%

Dependency changes

• + Addedjsonata@^1.8.6

• + Addedjsonata@1.8.7(transitive)

• - Removedjsonpath-plus@^6.0.1

• - Removedjsonpath-plus@6.0.1(transitive)