Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency json to v11 - abandoned #157

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Apr 27, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
json 10.0.0 -> 11.0.0 age adoption passing confidence

⚠️ MAJOR MAJOR MAJOR ⚠️


Release Notes

trentm/json

v11.0.0

Compare Source

  • Backward incompatible and security-related change to parsing the
    -d DELIM option. (#​148)

    The -d DELIM option allows specifying the field delimiter in output:

      % echo '{"name":"trent","age":38}' | json -a name age
      trent 38
      % echo '{"name":"trent","age":38}' | json -a name age -d,
      trent,38
    

    The given "DELIM" string is parsed to allow escapes. For example:

      % echo '{"name":"trent","age":38}' | json -a name age -d'\t'
      trent	38
      % echo '{"name":"trent","age":38}' | json -a name age -d'\n'
      trent
      38
    

    Before this change, that parsing used eval(), which allowed for unintended
    code execution if an untrusted argument to -d was provided. The fix for
    this vulnerability changes to use JSON.parse() to support escapes. However
    that results in a backward incompatible change, because the set of
    JSON escapes is a subset of
    JavaScript escapes.

    The only escape I expect that would affect any current user would be the
    null byte escape (\0) which can be useful for processing values that may
    have spaces or other likely delimiter characters. For example:

BEFORE

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\0' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

AFTER

    % echo '{"title":"Monsters, Inc.","year":"2001"}' | json -a title year -d'\0'
    json: error: Unexpected number in JSON at position 2

One must now use the JSON unicode escape syntax, '\u0000':

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\u0000' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

renovate bot automated dependency management

| datasource | package | from   | to     |
| ---------- | ------- | ------ | ------ |
| npm        | json    | 10.0.0 | 11.0.0 |
@renovate renovate bot requested review from dezren39 and a team as code owners April 27, 2021 03:48
@renovate
Copy link
Author

renovate bot commented Mar 23, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title chore(deps): update dependency json to v11 chore(deps): update dependency json to v11 - abandoned Dec 8, 2024
Copy link
Author

renovate bot commented Dec 8, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants