Releases: fastify/secure-json-parse
Releases · fastify/secure-json-parse
v2.1.0
v2.0.0
Now the library also detects the use of the constructor key, as it was doing with the __proto__ key.
parse will throw an error by default, while safeParse will continue to work as before.
// old behavior
j.parse(
'{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }',
{ protoAction: 'remove' }
) // => { a: 5: b:6, constructor: { prototype: { bar: 'baz' } } }
// new bahavior
j.parse(
'{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }',
{ protoAction: 'remove' }
) // => SyntaxError
// for having the same behavior as before:
j.parse(
'{"a": 5, "b": 6, "constructor":{"prototype":{"bar":"baz"}}, "__proto__": { "x": 7 } }',
{ protoAction: 'remove', constructorAction: 'ignore' }
) // => { a: 5: b:6, constructor: { prototype: { bar: 'baz' } } }Features:
- Added support for
constructorAction- #4