Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency json to v11 #40

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 17, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
json ^10.0.0 -> ^11.0.0 age adoption passing confidence

Release Notes

trentm/json (json)

v11.0.0

Compare Source

  • Backward incompatible and security-related change to parsing the
    -d DELIM option. (#​148)

    The -d DELIM option allows specifying the field delimiter in output:

      % echo '{"name":"trent","age":38}' | json -a name age
      trent 38
      % echo '{"name":"trent","age":38}' | json -a name age -d,
      trent,38
    

    The given "DELIM" string is parsed to allow escapes. For example:

      % echo '{"name":"trent","age":38}' | json -a name age -d'\t'
      trent	38
      % echo '{"name":"trent","age":38}' | json -a name age -d'\n'
      trent
      38
    

    Before this change, that parsing used eval(), which allowed for unintended
    code execution if an untrusted argument to -d was provided. The fix for
    this vulnerability changes to use JSON.parse() to support escapes. However
    that results in a backward incompatible change, because the set of
    JSON escapes is a subset of
    JavaScript escapes.

    The only escape I expect that would affect any current user would be the
    null byte escape (\0) which can be useful for processing values that may
    have spaces or other likely delimiter characters. For example:

BEFORE

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\0' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

AFTER

    % echo '{"title":"Monsters, Inc.","year":"2001"}' | json -a title year -d'\0'
    json: error: Unexpected number in JSON at position 2

One must now use the JSON unicode escape syntax, '\u0000':

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\u0000' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants