mongo-escape - npm Package Compare versions

Comparing version 2.0.3 to 2.0.4

package.json

 {
   "name": "mongo-escape",
-  "version": "2.0.3",
+  "version": "2.0.4",
   "author": {
@@ -5,0 +5,0 @@ "name": "Tim Kuijsten",

README.md

@@ -5,9 +5,9 @@ # mongo-escape
 
-Replace all occurences of "$" and "." with "＄" (U+FF04) and "．" (U+FF0E).
+Replace all occurences of "$" and "." with "＄" and "．", respectively.
 
-**Note**: this ought to be foolproof **only** if [server side JavaScript is disabled],
-so make sure `security.javascriptEnabled` is set to `false` in your mongodb
-configuration file. This has the effect that the [mapReduce] command and [$where]
-operator can not be used since these functions allow the execution of arbitrary
-JavaScript code.
+**Note**: this module only protects against keyword injection, not full
+JavaScript injection. So don't rely on this module for escaping the [mapReduce]
+command or [$where] operator as these commands parse and execute their values as
+JavaScript. From a security point of view it is recommended to
+[disable server side JavaScript] altogether.
 
@@ -106,4 +106,4 @@ ## Examples
 
-[server side JavaScript is disabled]: https://docs.mongodb.com/manual/core/server-side-javascript/#disable-server-side-js
+[disable server side JavaScript]: https://docs.mongodb.com/manual/core/server-side-javascript/#disable-server-side-js
 [mapReduce]: https://docs.mongodb.com/manual/reference/command/mapReduce/#dbcmd.mapReduce
 [$where]: https://docs.mongodb.com/manual/reference/operator/query/where/#op._S_where

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

17510

increased by0.38%

No dependency changes