data-store icon indicating copy to clipboard operation
data-store copied to clipboard
verified publisher icon jonschlinkert

Update `set-value` and `mocha`

Open Brittany-Reid opened this issue 3 years ago • 2 comments

Updated set-value, mocha based on npm audit.

1 failing test case removed:

    it('should not mistake double backslashes for escaped keys', () => {
      store.set('foo\\\\.baz', 'bar');
      store.set('baz', null);
      store.set('qux', 5);

      assert(!store.hasOwn('foo'));
      assert(!store.hasOwn('bar'));
      assert(!store.hasOwn('foo.baz'));
      console.log(store)
      assert(!store.hasOwn('foo\\'));
      assert(store.hasOwn('baz'));
      assert(store.hasOwn('qux'));

      store.set('foo\\.bar.baz\\.qux', 'fez');
      assert(store.hasOwn('foo\\.bar.baz\\.qux'));
    });

Breaking at statement assert(!store.hasOwn('foo\\'));

The escape behaviour is documented in set-value, but only for one set of \\, the old behaviour was:

{
  "foo\\.baz": "bar"
}

The behaviour with set-value updated:

{
  "foo\\": {
    "baz": "bar"
  }
}

I removed the test case as tests in set-value indicate that foo\\\\.bar should split, I assume behaviour should be consistent:

it('should correctly parse multiple consecutive backslashes', () => {
      assert.deepEqual(set.split('a.b\\\\.c'), ['a', 'b\\', 'c']);
    });

Is this correct, or was there a reason for the previous behaviour? Let me know if I should do anything else.

Brittany-Reid avatar Jan 18 '22 08:01 Brittany-Reid

Could someone please merge this? SonarQube detects "set-value" as having a security exploit.

trycoon avatar Feb 05 '22 02:02 trycoon

@jonschlinkert is there a reason not to merge this?

skeddles avatar Nov 03 '22 20:11 skeddles