bourne
JSON.parse() drop-in replacement with prototype poisoning protection.
Latest Version: 3.0.0
| Version | License | Node | Dependencies | CI |
|---|---|---|---|---|
3.0.0   | BSD | 16, 18, 20, 22 |  |  |
2.1.0 | BSD | 16, 18, 20, 22 |  |  |
Introduction
Consider this:
> const a = '{"__proto__":{ "b":5}}'; '{"__proto__":{ "b":5}}' > const b = JSON.parse(a); { __proto__: { b: 5 } } > b.b; undefined > const c = Object.assign({}, b); {} > c.b 5 The problem is that JSON.parse() retains the __proto__ property as a plain object key. By
itself, this is not a security issue. However, as soon as that object is assigned to another or
iterated on and values copied, the __proto__ property leaks and becomes the object's prototype.