msgpack5
Advanced tools
Comparing version 5.2.0 to 5.2.1
@@ -22,3 +22,5 @@ 'use strict' | ||
disableTimestampEncoding: false, | ||
preferMap: false | ||
preferMap: false, | ||
// options.protoAction: 'error' (default) / 'remove' / 'ignore' | ||
protoAction: 'error' | ||
} | ||
@@ -25,0 +27,0 @@ |
@@ -190,2 +190,13 @@ 'use strict' | ||
const val = result[i + 1] | ||
if (key === '__proto__') { | ||
if (options.protoAction === 'error') { | ||
throw new SyntaxError('Object contains forbidden prototype property') | ||
} | ||
if (options.protoAction === 'remove') { | ||
continue | ||
} | ||
} | ||
object[key] = val | ||
@@ -192,0 +203,0 @@ } |
{ | ||
"name": "msgpack5", | ||
"version": "5.2.0", | ||
"version": "5.2.1", | ||
"description": "A msgpack v5 implementation for node.js and the browser, with extension points", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -114,2 +114,3 @@ msgpack5 [![CI](https://github.com/mcollina/msgpack5/workflows/CI/badge.svg)](https://github.com/mcollina/msgpack5/actions?query=workflow%3ACI) | ||
- `preferMap`, a boolean that forces all maps to be decoded to `Map`s rather than plain objects. This ensures that `decode(encode(new Map())) instanceof Map` and that iteration order is preserved. Defaults to false. | ||
- `protoAction`, a string which can be `error|ignore|remove` that determines what happens when decoding a plain object with a `__proto__` property which would cause prototype poisoning. `error` (default) throws an error, `remove` removes the property, `ignore` (not recommended) allows the property, thereby causing prototype poisoning on the decoded object. | ||
@@ -116,0 +117,0 @@ ------------------------------------------------------- |
@@ -202,3 +202,3 @@ 'use strict' | ||
decoder.write(new Buffer([0xc0, 0xc2])) | ||
decoder.write(Buffer.from([0xc0, 0xc2])) | ||
decoder.end() | ||
@@ -205,0 +205,0 @@ }) |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
562988
70
10925
251
10