Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
json-schema-ref-parser
Advanced tools
The json-schema-ref-parser npm package is a tool that can parse JSON Schema files and dereference $ref pointers. This allows you to combine multiple separate JSON Schema files into one resolved schema, validate JSON documents against schemas, and manipulate JSON Schemas programmatically.
Dereferencing $ref pointers
This feature allows you to take a JSON Schema that contains $ref pointers to other files or URLs and resolve them into a single JSON Schema object. This is useful for simplifying and flattening schemas that are spread across multiple files.
{"$ref": "http://example.com/my-schema.json"}
Bundle schemas into a single file
This feature lets you take a JSON Schema with $ref pointers to other files in your project and bundle them all into a single JSON Schema file. This can be useful for distribution or for loading a schema from a single file in a browser or other environments where multiple files are not convenient.
{"$ref": "definitions.json#/address"}
Parse JSON Schema to a JavaScript object
This feature allows you to parse a JSON Schema from a string, file, or URL into a JavaScript object. This can be useful for manipulating the schema programmatically or for using it in conjunction with other tools that operate on JavaScript objects.
{"type": "object", "properties": {"name": {"type": "string"}}}
Ajv is a JSON Schema validator that allows you to compile and validate JSON Schemas. It is similar to json-schema-ref-parser in that it can handle $ref pointers, but its primary focus is on validation rather than parsing and dereferencing.
The json-schema package is another tool for validating JSON data against JSON Schemas. It is similar to json-schema-ref-parser in that it can parse and validate schemas, but it does not have the same focus on resolving $ref pointers.
Tiny Validator (tv4) is a small and fast JSON Schema validator. It is similar to json-schema-ref-parser in that it can validate JSON documents against schemas, but it does not provide the same level of support for dereferencing and bundling schemas.
You've got a JSON Schema with $ref
pointers to other files and/or URLs. Maybe you know all the referenced files ahead of time. Maybe you don't. Maybe some are local files, and others are remote URLs. Maybe they are a mix of JSON and YAML format. Maybe some of the files contain cross-references to each other.
{
"definitions": {
"person": {
// references an external file
"$ref": "schemas/people/Bruce-Wayne.json"
},
"place": {
// references a sub-schema in an external file
"$ref": "schemas/places.yaml#/definitions/Gotham-City"
},
"thing": {
// references a URL
"$ref": "http://wayne-enterprises.com/things/batmobile"
},
"color": {
// references a value in an external file via an internal reference
"$ref": "#/definitions/thing/properties/colors/black-as-the-night"
}
}
}
JSON Schema $Ref Parser is a full JSON Reference and JSON Pointer implementation that crawls even the most complex JSON Schemas and gives you simple, straightforward JavaScript objects.
$ref
pointers to external files and URLs, as well as custom sources such as databases$ref
pointers$ref
pointers to the same value always resolve to the same object instance$RefParser.dereference(mySchema, (err, schema) => {
if (err) {
console.error(err);
}
else {
// `schema` is just a normal JavaScript object that contains your entire JSON Schema,
// including referenced files, combined into a single object
console.log(schema.definitions.person.properties.firstName);
}
})
Or use async
/await
syntax instead. The following example is the same as above:
try {
let schema = await $RefParser.dereference(mySchema);
console.log(schema.definitions.person.properties.firstName);
}
catch(err) {
console.error(err);
}
For more detailed examples, please see the API Documentation
Install using npm:
npm install @apidevtools/json-schema-ref-parser
When using JSON Schema $Ref Parser in Node.js apps, you'll probably want to use CommonJS syntax:
const $RefParser = require("@apidevtools/json-schema-ref-parser");
When using a transpiler such as Babel or TypeScript, or a bundler such as Webpack or Rollup, you can use ECMAScript modules syntax instead:
import $RefParser from "@apidevtools/json-schema-ref-parser";
JSON Schema $Ref Parser supports recent versions of every major web browser. Older browsers may require Babel and/or polyfills.
To use JSON Schema $Ref Parser in a browser, you'll need to use a bundling tool such as Webpack, Rollup, Parcel, or Browserify. Some bundlers may require a bit of configuration, such as setting browser: true
in rollup-plugin-resolve.
Full API documentation is available right here
I welcome any contributions, enhancements, and bug-fixes. Open an issue on GitHub and submit a pull request.
To build/test the project locally on your computer:
Clone this repo
git clone https://github.com/APIDevTools/json-schema-ref-parser.git
Install dependencies
npm install
Run the tests
npm test
JSON Schema $Ref Parser is 100% free and open-source, under the MIT license. Use it however you want.
This package is Treeware. If you use it in production, then we ask that you buy the world a tree to thank us for our work. By contributing to the Treeware forest you’ll be creating employment for local families and restoring wildlife habitats.
Thanks to these awesome companies for their support of Open Source developers ❤
FAQs
Parse, Resolve, and Dereference JSON Schema $ref pointers
We found that json-schema-ref-parser demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.