Skip to content

chore(deps): update dependency json to v11 - abandoned #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

chore(deps): update dependency json to v11 - abandoned #157

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Apr 27, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
json 10.0.0 -> 11.0.0 age adoption passing confidence

⚠️ MAJOR MAJOR MAJOR ⚠️

Release Notes

trentm/json

v11.0.0

Compare Source

  • Backward incompatible and security-related change to parsing the
    -d DELIM option. (#​148)

    The -d DELIM option allows specifying the field delimiter in output:

      % echo '{"name":"trent","age":38}' | json -a name age
  trent 38
  % echo '{"name":"trent","age":38}' | json -a name age -d,
  trent,38

    The given "DELIM" string is parsed to allow escapes. For example:

      % echo '{"name":"trent","age":38}' | json -a name age -d'\t'
  trent	38
  % echo '{"name":"trent","age":38}' | json -a name age -d'\n'
  trent
  38

    Before this change, that parsing used eval(), which allowed for unintended
    code execution if an untrusted argument to -d was provided. The fix for
    this vulnerability changes to use JSON.parse() to support escapes. However
    that results in a backward incompatible change, because the set of
    JSON escapes is a subset of
    JavaScript escapes.

    The only escape I expect that would affect any current user would be the
    null byte escape (\0) which can be useful for processing values that may
    have spaces or other likely delimiter characters. For example:

BEFORE

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\0' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

AFTER

    % echo '{"title":"Monsters, Inc.","year":"2001"}' | json -a title year -d'\0'
    json: error: Unexpected number in JSON at position 2

One must now use the JSON unicode escape syntax, '\u0000':

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\u0000' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate-bot
chore(deps): update dependency json to v11
a5692dd 
renovate bot automated dependency management

| datasource | package | from   | to     |
| ---------- | ------- | ------ | ------ |
| npm        | json    | 10.0.0 | 11.0.0 |
@renovate renovate bot requested review from a team and dezren39 as code owners April 27, 2021 03:48
@renovate
Copy link
Author

renovate bot commented Mar 23, 2023
edited
Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title chore(deps): update dependency json to v11 chore(deps): update dependency json to v11 - abandoned Dec 8, 2024
@renovate
Copy link
Author

renovate bot commented Dec 8, 2024

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dezren39 dezren39 Awaiting requested review from dezren39 dezren39 is a code owner

Assignees

@dezren39 dezren39

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dezren39 @renovate-bot