js-yaml - npm Package Compare versions
Comparing version 2.0.4 to 2.0.5
@@ -11,3 +11,3 @@ 'use strict'; | ||
| try { | ||
| var doc = require(__dirname + '/single.yml'); | ||
| var doc = require(__dirname + '/sample_document.yaml'); | ||
| console.log(inspect(doc, false, 10, true)); | ||
@@ -14,0 +14,0 @@ } catch (e) { |
@@ -0,1 +1,8 @@ | ||
| 2.0.5 / 2013-04-26 | ||
| ------------------ | ||
| * Close security issue in !!js/function constructor. | ||
| Big thanks to @nealpoole for security audit. | ||
| 2.0.4 / 2013-04-08 | ||
@@ -2,0 +9,0 @@ ------------------ |
| 'use strict'; | ||
| var esprima = require('esprima'); | ||
| var NIL = require('../../common').NIL; | ||
@@ -10,8 +13,26 @@ var Type = require('../../type'); | ||
| /*jslint evil:true*/ | ||
| var func; | ||
| try { | ||
| func = new Function('return ' + object); | ||
| return func(); | ||
| } catch (error) { | ||
| var source = '(' + object + ')', | ||
| ast = esprima.parse(source, { range: true }), | ||
| params = [], | ||
| body; | ||
| if ('Program' !== ast.type || | ||
| 1 !== ast.body.length || | ||
| 'ExpressionStatement' !== ast.body[0].type || | ||
| 'FunctionExpression' !== ast.body[0].expression.type) { | ||
| return NIL; | ||
| } | ||
| ast.body[0].expression.params.forEach(function (param) { | ||
| params.push(param.name); | ||
| }); | ||
| body = ast.body[0].expression.body.range; | ||
| // Esprima's ranges include the first '{' and the last '}' characters on | ||
| // function expressions. So cut them out. | ||
| return new Function(params, source.slice(body[0]+1, body[1]-1)); | ||
| } catch (err) { | ||
| return NIL; | ||
@@ -18,0 +39,0 @@ } |
| { | ||
| "name" : "js-yaml", | ||
| "version" : "2.0.4", | ||
| "version" : "2.0.5", | ||
| "description" : "YAML 1.2 parser and serializer", | ||
@@ -35,5 +35,6 @@ "keywords" : ["yaml", "parser", "serializer", "pyyaml"], | ||
| "dependencies" : { "argparse": "~ 0.1.11" }, | ||
| "dependencies" : { "argparse": "~ 0.1.11", | ||
| "esprima": "~ 1.0.2" }, | ||
| "devDependencies" : { "mocha": "*" }, | ||
| "engines" : { "node": ">= 0.6.0" } | ||
| } |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Uses eval
Supply chain riskPackage uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 1 instance in 1 package
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Uses eval
Supply chain riskPackage uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 1 instance in 1 package
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.81%
109628
- Lines of code
- increased by0.54%
2770
Worsened metrics
- Dependency count
- increased by100%
2
Dependency changes
+ Addedesprima@~ 1.0.2
+ Addedesprima@1.0.4(transitive)