		{
		"name": "json-ptr",
		"version": "2.2.1-master.0c06aa1",
		"version": "2.2.1-master.18a4d58",
		"author": "Phillip Clark <phillip@flitbit.com>",
		@@ -12,7 +12,14 @@ "description": "A complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.",
		],
		"main": "dist/index.js",
		"types": "dist/index.d.ts",
		"main": "dist/cjs/index.js",
		"module": "dist/esm/index.js",
		"umd": "dist/json-ptr.min.js",
		"exports": {
		".": {
		"import": "./dist/esm/index.js",
		"require": "./dist/cjs/index.js"
		}
		},
		"types": "dist/types/index.d.ts",
		"files": [
		"dist",
		"dist.browser"
		"dist"
		],
		@@ -25,14 +32,16 @@ "license": "MIT",
		"scripts": {
		"clean": "rimraf coverage dist dist.browser tmp docs",
		"clean": "shx rm -fr coverage dist dist.browser docs tmp .nyc_output",
		"prebuild": "npm run lint",
		"prebuild:browser": "shx rm -fr dist.browser",
		"build:browser": "webpack",
		"build:browser-tests": "webpack --config webpack.tests.config.js",
		"buildall": "tsc --importHelpers -p tsconfig.release.json && npm run build:browser && npm run build:browser-tests && npm run docs",
		"buildall": "npm run build-lib && npm run build:browser && npm run build:browser-tests && npm run docs",
		"build-lib": "rollup -c",
		"build": "npm run buildall",
		"build:watch": "tsc -w --importHelpers -p tsconfig.release.json",
		"prebuild-lib": "shx rm -fr dist",
		"postbuild-lib": "shx cp package-cjs.json dist/cjs/package.json && shx cp package-esm.json dist/esm/package.json",
		"lint": "eslint . --ext .ts,.tsx",
		"lint:fix": "eslint . --ext .ts,.tsx --fix",
		"pretest": "npm run lint:fix",
		"test": "nyc mocha __tests__/*/.spec.ts",
		"test:watch": "chokidar \".js\" \".json\" \"src/*/.ts\" \"__tests__/*/.ts\" --command \"npm run test\" --initial",
		"test": "cross-env TS_NODE_COMPILER_OPTIONS='{ \"module\": \"commonjs\", \"noEmit\": false }' nyc mocha src/*/.spec.ts",
		"test:watch": "onchange --initial \".js\" \".json\" \"src/*/.ts\" -- npm run test",
		"cilint": "eslint . --ext .ts,.tsx --format junit --output-file ./reports/eslint/eslint.xml",
		@@ -42,6 +51,9 @@ "precibuild": "npm run cilint",
		"preci": "npm run cibuild",
		"ci": "nyc mocha __tests__/*/.spec.ts --timeout=10000 --exit --reporter mocha-junit-reporter --reporter-options mochaFile=reports/mocha/test-results.xml",
		"docs": "typedoc --theme minimal --entryPoints src/index.ts && cp _config.yml docs/"
		"ci": "cross-env TS_NODE_COMPILER_OPTIONS='{ \"module\": \"commonjs\", \"noEmit\": false }' nyc mocha src/*/.spec.ts --timeout=10000 --exit --reporter mocha-junit-reporter --reporter-options mochaFile=reports/mocha/test-results.xml",
		"predocs": "shx rm -fr docs",
		"docs": "typedoc && shx cp _config.yml docs/"
		},
		"devDependencies": {
		"@rollup/plugin-commonjs": "^21.0.1",
		"@rollup/plugin-node-resolve": "^13.0.6",
		"@types/assert-plus": "^1.0.4",
		@@ -51,23 +63,30 @@ "@types/bent": "^7.3.2",
		"@types/debug": "^4.1.5",
		"@types/mocha": "^8.2.2",
		"@types/node": "~15.0.2",
		"@typescript-eslint/eslint-plugin": "^4.23.0",
		"@typescript-eslint/parser": "^4.23.0",
		"@types/mocha": "^9.0.0",
		"@types/node": "^16.11.4",
		"@typescript-eslint/eslint-plugin": "^5.1.0",
		"@typescript-eslint/parser": "^5.1.0",
		"bent": "^7.3.12",
		"chai": "^4.3.4",
		"chokidar-cli": "^2.1.0",
		"eslint": "^7.26.0",
		"cross-env": "^7.0.3",
		"eslint": "^8.1.0",
		"eslint-config-prettier": "^8.3.0",
		"eslint-plugin-mocha": "^8.1.0",
		"eslint-plugin-prettier": "^3.4.0",
		"mocha": "^8.4.0",
		"eslint-plugin-mocha": "^9.0.0",
		"eslint-plugin-prettier": "^4.0.0",
		"mocha": "^9.1.3",
		"mocha-junit-reporter": "^2.0.0",
		"nyc": "^15.1.0",
		"prettier": "~2.3.0",
		"onchange": "^7.1.0",
		"prettier": "^2.4.1",
		"process": "^0.11.10",
		"rimraf": "~3.0.2",
		"rollup": "^2.58.3",
		"rollup-plugin-peer-deps-external": "^2.2.4",
		"rollup-plugin-terser": "^7.0.2",
		"rollup-plugin-typescript2": "^0.30.0",
		"shx": "^0.3.3",
		"terser-webpack-plugin": "^5.1.2",
		"ts-loader": "^9.1.2",
		"ts-node": "^9.1.1",
		"typedoc": "^0.20.36",
		"typescript": "~4.2.4",
		"ts-node": "^10.4.0",
		"typedoc": "^0.22.6",
		"typescript": "^4.4.4",
		"util": "^0.12.3",
		@@ -94,6 +113,3 @@ "webpack": "^5.37.0",
		"instrument": true
		},
		"dependencies": {
		"tslib": "^2.2.0"
		}
		}

169

README.md

		@@ -11,14 +11,4 @@ # json-ptr

		I wrote this a few years back when I was unable to find a _complete implementation_ of [RFC 6901](https://tools.ietf.org/html/rfc6901). It turns out that I now use the hell out of it.
		I wrote this a few years back when I was unable to find a _complete implementation_ of [RFC 6901](https://tools.ietf.org/html/rfc6901). It turns out that I now use the hell out of it. I hope you also find it useful.

		## Security Vulnerability prior to v2.1.0

		There is a security vulnerability in versions prior to v2.1.0 in which an unscrupulous actor may execute arbitrary code. If your code sends un-sanitized user input to `json-ptr`'s `.get()` method, your project is vulnerable to this injection-style vulnerability.

		If your code is vulnerable, you should upgrade immediately, and also, stop sending un-sanitized user input to `json-ptr`.

		## Breaking Changes at v1.3.0

		As was rightly pointed out in [this issue](https://github.com/flitbit/json-ptr/issues/24), I should have rolled the major version at `v1.3.0` instead of the minor version due to [breaking changes to the API](#user-content-where-did-the-global-functions-go). Not the worst blunder I've made, but my apologies all the same. Since the ship has sailed, I'm boosting the visibility of these breaking changes.

		## Install
		@@ -30,7 +20,15 @@

		## Release Bundles

		As of v3.0.0, we provide CJS, ESM, and UMD builds under the `dist/` folder when you install the package from NPM, we also have all appropriate references in our `package.json` file, so your code should just work. If you need a CDN reference to `json-ptr`, try [UNPKG](https://unpkg.com/), which picks up our releases automatically.

		## Use

		### [nodejs](https://nodejs.org/en/)
		Both CJS and ESM are supported.

		```javascript
		const { JsonPointer } = require('json-ptr');
		```

		```javascript
		import { JsonPointer } from 'json-ptr';
		@@ -41,3 +39,3 @@ ```

		The [API documentation is generated from code by typedoc and hosted here](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html). Read the docs.
		The [API documentation is generated from code by typedoc and hosted here](http://flitbit.github.io/json-ptr/). Read the docs.

		@@ -71,3 +69,3 @@ Documentation is always a work in progress, let us know by creating an issue if you need a scenario documented.
		honorific: JsonPointer.create('/primary/primaryGuest/honorific'),
		}
		},
		};
		@@ -101,17 +99,21 @@
		const reservationV1: Reservation = {
		guests: [{
		name: 'Wilbur',
		surname: 'Finkle',
		honorific: 'Mr.'
		}, {
		name: 'Wanda',
		surname: 'Finkle',
		honorific: 'Mrs.'
		}, {
		name: 'Wilma',
		surname: 'Finkle',
		honorific: 'Miss',
		child: true,
		age: 12
		}]
		guests: [
		{
		name: 'Wilbur',
		surname: 'Finkle',
		honorific: 'Mr.',
		},
		{
		name: 'Wanda',
		surname: 'Finkle',
		honorific: 'Mrs.',
		},
		{
		name: 'Wilma',
		surname: 'Finkle',
		honorific: 'Miss',
		child: true,
		age: 12,
		},
		],
		// ...
		@@ -127,17 +129,20 @@ };
		surname: 'Finkle',
		honorific: 'Mr.'
		honorific: 'Mr.',
		},
		additionalGuests: [{
		name: 'Wanda',
		surname: 'Finkle',
		honorific: 'Mrs.'
		}, {
		name: 'Wilma',
		surname: 'Finkle',
		honorific: 'Miss',
		child: true,
		age: 12
		}]
		additionalGuests: [
		{
		name: 'Wanda',
		surname: 'Finkle',
		honorific: 'Mrs.',
		},
		{
		name: 'Wilma',
		surname: 'Finkle',
		honorific: 'Miss',
		child: true,
		age: 12,
		},
		],
		// ...
		}
		},
		// ...
		@@ -148,5 +153,14 @@ };
		console.log(primaryGuestName(reservationV1_1));

		```

		## Security Vulnerabilities (Resolved)

		- prior to v3.0.0 there was a security vulnerability which allowed a developer to perform prototype pollution by sending malformed path segments to `json-ptr`. If you were one of these developers, you should upgrade to v3.0.0 immediately, and stop using `json-ptr` to pollute an object's prototype. If you feel you have a legitimate reason to do so, please use another method and leave `json-ptr` out of it. Such behavior has been disallowed since it can easily be done using plain ol javascript by those determined to violate common best practice.

		- prior to v2.1.0 there was a security vulnerability which allowed an unscrupulous actor to execute arbitrary code if developers failed to sanitize user input before sending it to `json-ptr`. If your code does not sanitize user input before sending it to `json-ptr`, your project is vulnerable and you should upgrade to v3.0.0 immediately. And while your at it, start sanitized user input before sending it to any library!

		## Breaking Changes at v1.3.0

		As was rightly pointed out in [this issue](https://github.com/flitbit/json-ptr/issues/24), I should have rolled the major version at `v1.3.0` instead of the minor version due to [breaking changes to the API](#user-content-where-did-the-global-functions-go). Not the worst blunder I've made, but my apologies all the same. Since the ship has sailed, I'm boosting the visibility of these breaking changes.

		### Where did the Global Functions Go?
		@@ -156,5 +170,5 @@

		\| Global Fn \| Static Fn \| Documentation \|
		\|---\|---\|---\|
		\| `create()`\| `JsonPointer.create()` \| [Factory function that creates a `JsonPointer`](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#create) \|
		\| Global Fn \| Static Fn \| Documentation \|
		\| ------------------- \| ------------------------------- \| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \|
		\| `create()` \| `JsonPointer.create()` \| [Factory function that creates a `JsonPointer`](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#create) \|
		\| `decode()` \| `JsonPointer.decode()` \| [Decodes the specified pointer into path segments.](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#decode) \|
		@@ -252,2 +266,4 @@ \| `flatten()` \| `JsonPointer.flatten()` \| [DEvaluates the target's object graph, returning a Record<Pointer, unknown> populated with pointers and the corresponding values from the graph..](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#flatten) \|

		- 2021-10-26 — 3.0.0 Potential Security Vulnerability Patched
		- When setting a value on an object graph, a developer could purposely use `json-ptr` to pollute an object's prototype by passing invalid path segments to the set/unset operations. This behavior has been disallowed.
		- 2021-05-14 — 2.2.0 _Added Handling for Relative JSON Pointers_
		@@ -258,6 +274,7 @@ - [Example usage](https://github.com/flitbit/json-ptr/blob/487182100a08f4ddc7713e42ec063bbd5ce2c34c/examples/relative.js)
		- 2021-05-12 — 2.1.0 _Bug fixes for [#28](https://github.com/flitbit/json-ptr/issues/28) and [#30](https://github.com/flitbit/json-ptr/issues/30); Security Vulnerability Patched_
		- When compiling the accessors for quickly points in an object graph, the `.get()` method was not properly delimiting single quotes. This error caused the get operation to throw an exception in during normal usage. Worse, in cases where malicious user input was sent directly to `json-ptr`, the failure to delimit single quotes allowed the execution of arbitrary code (an injection attack). The first of these issues was reported in #28 by @mprast, the second (vulnerability) by @zpbrent. Thanks also to @elimumford for the actual code used for the fix.

		- When compiling the accessors for quickly accessing points in an object graph, the `.get()` method was not properly delimiting single quotes. This error caused the get operation to throw an exception in during normal usage. Worse, in cases where malicious user input was sent directly to `json-ptr`, the failure to delimit single quotes allowed the execution of arbitrary code (an injection attack). The first of these issues was reported in #28 by @mprast, the second (vulnerability) by @zpbrent. Thanks also to @elimumford for the actual code used for the fix.

		- If your code sent un-sanitized user input to the `.get()` method of `json-ptr`, your project was susceptible to this security vulnerability!


		- 2020-10-21 — 2.0.0 _Breaking Change_
		@@ -269,38 +286,44 @@ - Prototype pollution using this library is now disallowed and will throw an error. I've been looking into the origin of this issue and it seems to have been disclosed by mohan on [huntr.dev](https://www.huntr.dev/bounties/1-npm-json-ptr/). I received [a PR from](https://github.com/flitbit/json-ptr/pull/26) [@luci-m-666](https://github.com/luci-m-666), but found [another PR](https://github.com/418sec/json-ptr/pull/1) by [@alromh87](https://github.com/alromh87) that looks like the origin of the solution. Don't know who to thank, but thanks all -- somebody is due a bounty.

		- 2020-07-20 — 1.3.2
		- Added missing `tslib` dependency.
		- Documented [where the global functions are now located; moving them broke compatibility at v1.3.0](#user-content-where-did-the-global-functions-go).
		- 2020-07-20 — 1.3.2

		- Added missing `tslib` dependency.
		- Documented [where the global functions are now located; moving them broke compatibility at v1.3.0](#user-content-where-did-the-global-functions-go).

		- 2020-07-10 — 1.3.0 BREAKING CHANGES
		- BREAKING CHANGE: Global functions are now static functions on the `JsonPointer` type. See [_Where did the Global Functions Go?_](#user-content-where-did-the-global-functions-go)
		- Merged new `.unset()` function contributed by @chrishalbert, updated dependencies.
		- Migrated to typescript and retooled build/test/deploy pipeline. Definitely typed.
		- 100% test coverage which illuminated some idiosyncrasies; maybe we killed unobserved bugs, nobody knows.
		- 2020-07-10 — 1.3.0 BREAKING CHANGES

		- 2019-09-14 — 1.2.0
		- Merged new `.concat` function contributed by @vuwuv, updated dependencies.
		- BREAKING CHANGE: Global functions are now static functions on the `JsonPointer` type. See [_Where did the Global Functions Go?_](#user-content-where-did-the-global-functions-go)
		- Merged new `.unset()` function contributed by @chrishalbert, updated dependencies.
		- Migrated to typescript and retooled build/test/deploy pipeline. Definitely typed.
		- 100% test coverage which illuminated some idiosyncrasies; maybe we killed unobserved bugs, nobody knows.

		- 2019-03-10 — 1.1.2
		- Updated packages to remove critical security concern among dev dependencies'
		- 2019-09-14 — 1.2.0

		- 2016-07-26 — 1.0.1
		- Fixed a problem with the Babel configuration
		- Merged new `.concat` function contributed by @vuwuv, updated dependencies.

		- 2016-01-12 — 1.0.0
		- Rolled major version to 1 to reflect breaking change in `.list(obj, fragmentId)`.
		- 2019-03-10 — 1.1.2

		- 2016-01-02 — 0.3.0
		- Retooled for node 4+
		- Better compiled pointers
		- Unrolled recursive `.list` function
		- Added `.map` function
		- Fully linted
		- Lots more tests and examples.
		- Documented many previously undocumented features.
		- Updated packages to remove critical security concern among dev dependencies'

		- 2014-10-21 — 0.2.0 Added #list function to enumerate all properties in a graph, producing fragmentId/value pairs.
		- 2016-07-26 — 1.0.1

		- Fixed a problem with the Babel configuration

		- 2016-01-12 — 1.0.0

		- Rolled major version to 1 to reflect breaking change in `.list(obj, fragmentId)`.

		- 2016-01-02 — 0.3.0

		- Retooled for node 4+
		- Better compiled pointers
		- Unrolled recursive `.list` function
		- Added `.map` function
		- Fully linted
		- Lots more tests and examples.
		- Documented many previously undocumented features.

		- 2014-10-21 — 0.2.0 Added #list function to enumerate all properties in a graph, producing fragmentId/value pairs.

		## License

		[MIT](https://github.com/flitbit/json-ptr/blob/master/LICENSE)

dist.browser/json-ptr-with-browser-tests.js

dist.browser/json-ptr-with-browser-tests.js.LICENSE.txt

dist.browser/json-ptr.js

dist.browser/json-ptr.js.LICENSE.txt

dist/index.d.ts

dist/index.js

dist/index.js.map

dist/pointer.d.ts

dist/pointer.js

dist/pointer.js.map

dist/types.d.ts

dist/types.js

dist/types.js.map

dist/util.d.ts

dist/util.js

dist/util.js.map

LICENSE

Sorry, the diff of this file is not supported yet

json-ptr - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes