Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency json to v11 #645

Closed
wants to merge 1 commit into from
Closed

chore(deps): update dependency json to v11 #645

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 2, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
json 10.0.0 -> 11.0.0 age adoption passing confidence

Release Notes

trentm/json

v11.0.0

Compare Source

  • Backward incompatible and security-related change to parsing the
    -d DELIM option. (#​148)

    The -d DELIM option allows specifying the field delimiter in output:

      % echo '{"name":"trent","age":38}' | json -a name age
  trent 38
  % echo '{"name":"trent","age":38}' | json -a name age -d,
  trent,38

    The given "DELIM" string is parsed to allow escapes. For example:

      % echo '{"name":"trent","age":38}' | json -a name age -d'\t'
  trent	38
  % echo '{"name":"trent","age":38}' | json -a name age -d'\n'
  trent
  38

    Before this change, that parsing used eval(), which allowed for unintended
    code execution if an untrusted argument to -d was provided. The fix for
    this vulnerability changes to use JSON.parse() to support escapes. However
    that results in a backward incompatible change, because the set of
    JSON escapes is a subset of
    JavaScript escapes.

    The only escape I expect that would affect any current user would be the
    null byte escape (\0) which can be useful for processing values that may
    have spaces or other likely delimiter characters. For example:

BEFORE

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\0' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

AFTER

    % echo '{"title":"Monsters, Inc.","year":"2001"}' | json -a title year -d'\0'
    json: error: Unexpected number in JSON at position 2

One must now use the JSON unicode escape syntax, '\u0000':

    % echo '{"title":"Monsters, Inc.","year":"2001"}' \
      | json -a title year -d'\u0000' \
      | xargs -0 node -e 'console.log(process.argv)'
    [ 'node', 'Monsters, Inc.', '2001\n' ]

Configuration

📅 Schedule: "after 4pm on friday,before 9am on monday,every weekend" in timezone Europe/Paris.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/json-11.x branch 4 times, most recently from c5d144e to 4e1b9b8 Compare October 8, 2021 19:21
@renovate renovate bot force-pushed the renovate/json-11.x branch 3 times, most recently from b597ecb to 0df60a1 Compare October 16, 2021 03:48
@renovate renovate bot force-pushed the renovate/json-11.x branch 2 times, most recently from f742d42 to 0024830 Compare October 22, 2021 19:39
@renovate renovate bot force-pushed the renovate/json-11.x branch 2 times, most recently from fa32850 to b4166f9 Compare November 5, 2021 19:39
@renovate renovate bot force-pushed the renovate/json-11.x branch 5 times, most recently from fc7674c to bbabfe2 Compare November 20, 2021 12:48
@renovate renovate bot force-pushed the renovate/json-11.x branch 2 times, most recently from b7ecb05 to 62d95c5 Compare November 26, 2021 20:24
@renovate renovate bot force-pushed the renovate/json-11.x branch 2 times, most recently from 4cdeec5 to a8d08b0 Compare December 4, 2021 21:20
@renovate renovate bot force-pushed the renovate/json-11.x branch 3 times, most recently from 6cb6c58 to cf53b14 Compare December 17, 2021 21:12
@renovate renovate bot force-pushed the renovate/json-11.x branch 3 times, most recently from d009124 to 67d9d8f Compare December 31, 2021 20:59
@renovate renovate bot force-pushed the renovate/json-11.x branch 3 times, most recently from 1f0b62f to f287f99 Compare January 7, 2022 19:02
@renovate renovate bot force-pushed the renovate/json-11.x branch 2 times, most recently from d676a19 to 30e72bd Compare January 14, 2022 21:02
@renovate renovate bot force-pushed the renovate/json-11.x branch 2 times, most recently from 4215f5f to 05b8791 Compare January 28, 2022 21:10
@renovate renovate bot force-pushed the renovate/json-11.x branch 4 times, most recently from ead34bc to 39dffa4 Compare February 11, 2022 20:16
@renovate renovate bot force-pushed the renovate/json-11.x branch 3 times, most recently from 4a4961c to 51f18c3 Compare February 25, 2022 21:26
@armandabric armandabric closed this Mar 7, 2022
@renovate
Copy link
Contributor Author

renovate bot commented Mar 7, 2022
edited
Loading

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 11.x releases. But if you manually upgrade to 11.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/json-11.x branch March 7, 2022 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@armandabric @renovate-bot