flitbit
diff --git a/‎.circleci/config.yml
Lines changed: 5 additions & 5 deletions b/‎.circleci/config.yml
Lines changed: 5 additions & 5 deletions
diff --git a/‎.eslintignore
Lines changed: 1 addition & 0 deletions b/‎.eslintignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎.eslintrc.json
Lines changed: 5 additions & 6 deletions b/‎.eslintrc.json
Lines changed: 5 additions & 6 deletions
diff --git a/‎LICENSE
Lines changed: 1 addition & 1 deletion b/‎LICENSE
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md
Lines changed: 95 additions & 72 deletions b/‎README.md
Lines changed: 95 additions & 72 deletions
diff --git a/‎__tests__/.eslintrc.json
Lines changed: 0 additions & 24 deletions b/‎__tests__/.eslintrc.json
Lines changed: 0 additions & 24 deletions
diff --git a/‎docs/.nojekyll
Lines changed: 1 addition & 0 deletions b/‎docs/.nojekyll
Lines changed: 1 addition & 0 deletions
@@ -1,12 +1,12 @@
 version: 2.1
 executors:
-  node-12:
+  node-14:
     docker:
-      - image: circleci/node:12
+      - image: circleci/node:14
 
 commands:
   npm-ci:
-    description: "standard npm-based ci workflow"
+    description: 'standard npm-based ci workflow'
     steps:
       - checkout
       - run:
@@ -42,7 +42,7 @@ commands:
 jobs:
   build-pre:
     working_directory: ~/repo
-    executor: node-12
+    executor: node-14
     steps:
       - npm-ci
       - run:
@@ -57,7 +57,7 @@ jobs:
 
   build-release:
     working_directory: ~/repo
-    executor: node-12
+    executor: node-14
     steps:
       - npm-ci
       - run:
 
@@ -1,2 +1,3 @@
 /**/*.js
 dist/
+examples/
@@ -1,22 +1,21 @@
 {
   "env": {
     "browser": false,
-    "es6": true,
-    "node": true
+    "es2020": true,
+    "node": true,
+    "mocha": true
   },
   "parser": "@typescript-eslint/parser",
   "parserOptions": {
     "project": "./tsconfig.json",
     "sourceType": "module"
   },
-  "plugins": [
-    "@typescript-eslint"
-  ],
+  "plugins": ["@typescript-eslint", "mocha"],
   "extends": [
     "eslint:recommended",
     "plugin:@typescript-eslint/eslint-recommended",
     "plugin:@typescript-eslint/recommended",
     "plugin:prettier/recommended"
   ],
   "rules": {}
-}
+}
@@ -1,4 +1,4 @@
-Copyright (c) 2011-2018 Phillip Clark
+Copyright (c) 2011-2021 Phillip Clark
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
 
@@ -8,27 +8,25 @@ Supports [Relative JSON Pointers](https://tools.ietf.org/id/draft-handrews-relat
 
 ## Background
 
-I wrote this a few years back when I was unable to find a _complete implementation_ of [RFC 6901](https://tools.ietf.org/html/rfc6901). It turns out that I now use the hell out of it.
-
-## Security Vulnerability prior to v2.1.0
-
-There is a security vulnerability in versions prior to v2.1.0 in which an unscrupulous actor may execute arbitrary code. If your code sends un-sanitized user input to `json-ptr`'s `.get()` method, your project is vulnerable to this injection-style vulnerability.
-
-If your code is vulnerable, you should upgrade immediately, and also, stop sending un-sanitized user input to `json-ptr`.
-
-## Breaking Changes at v1.3.0
-
-As was rightly pointed out in [this issue](https://github.com/flitbit/json-ptr/issues/24), I should have rolled the major version at `v1.3.0` instead of the minor version due to [breaking changes to the API](#user-content-where-did-the-global-functions-go). Not the worst blunder I've made, but my apologies all the same. Since the ship has sailed, I'm boosting the visibility of these breaking changes.
+I wrote this a few years back when I was unable to find a _complete implementation_ of [RFC 6901](https://tools.ietf.org/html/rfc6901). It turns out that I now use the hell out of it. I hope you also find it useful.
 
 ## Install
 
 ```bash
 npm install json-ptr
 ```
 
+## Release Bundles
+
+As of v3.0.0, we provide CJS, ESM, and UMD builds under the `dist/` folder when you install the package from NPM, we also have all appropriate references in our `package.json` file, so your code should just work. If you need a CDN reference to `json-ptr`, try [UNPKG](https://unpkg.com/), which picks up our releases automatically.
+
 ## Use
 
-### [nodejs](https://nodejs.org/en/)
+Both CJS and ESM are supported.
+
+```javascript
+const { JsonPointer } = require('json-ptr');
+```
 
 ```javascript
 import { JsonPointer } from 'json-ptr';
@@ -65,7 +63,7 @@ const versions: Record<SupportedVersion, PrimaryGuestNamePointers> = {
     name: JsonPointer.create('/primary/primaryGuest/name'),
     surname: JsonPointer.create('/primary/primaryGuest/surname'),
     honorific: JsonPointer.create('/primary/primaryGuest/honorific'),
-  }
+  },
 };
 
 interface Reservation extends Record<string, unknown> {
@@ -94,21 +92,25 @@ function primaryGuestName(reservation: Reservation): string {
 
 // The original layout of a reservation (only the parts relevant to our example)
 const reservationV1: Reservation = {
-  guests: [{
-    name: 'Wilbur',
-    surname: 'Finkle',
-    honorific: 'Mr.'
-  }, {
-    name: 'Wanda',
-    surname: 'Finkle',
-    honorific: 'Mrs.'
-  }, {
-    name: 'Wilma',
-    surname: 'Finkle',
-    honorific: 'Miss',
-    child: true,
-    age: 12
-  }]
+  guests: [
+    {
+      name: 'Wilbur',
+      surname: 'Finkle',
+      honorific: 'Mr.',
+    },
+    {
+      name: 'Wanda',
+      surname: 'Finkle',
+      honorific: 'Mrs.',
+    },
+    {
+      name: 'Wilma',
+      surname: 'Finkle',
+      honorific: 'Miss',
+      child: true,
+      age: 12,
+    },
+  ],
   // ...
 };
 
@@ -119,36 +121,48 @@ const reservationV1_1: Reservation = {
     primaryGuest: {
       name: 'Wilbur',
       surname: 'Finkle',
-      honorific: 'Mr.'
+      honorific: 'Mr.',
     },
-    additionalGuests: [{
-      name: 'Wanda',
-      surname: 'Finkle',
-      honorific: 'Mrs.'
-    }, {
-      name: 'Wilma',
-      surname: 'Finkle',
-      honorific: 'Miss',
-      child: true,
-      age: 12
-    }]
+    additionalGuests: [
+      {
+        name: 'Wanda',
+        surname: 'Finkle',
+        honorific: 'Mrs.',
+      },
+      {
+        name: 'Wilma',
+        surname: 'Finkle',
+        honorific: 'Miss',
+        child: true,
+        age: 12,
+      },
+    ],
     // ...
-  }
+  },
   // ...
 };
 
 console.log(primaryGuestName(reservationV1));
 console.log(primaryGuestName(reservationV1_1));
-
 ```
 
+## Security Vulnerabilities (Resolved)
+
+- **prior to v3.0.0** there was a security vulnerability which allowed a developer to perform prototype pollution by sending malformed path segments to `json-ptr`. If you were one of these developers, you should upgrade to v3.0.0 immediately, and stop using `json-ptr` to pollute an object's prototype. If you feel you have a legitimate reason to do so, please use another method and leave `json-ptr` out of it. Such behavior has been disallowed since it can easily be done using plain ol javascript by those determined to violate common best practice.
+
+- **prior to v2.1.0** there was a security vulnerability which allowed an unscrupulous actor to execute arbitrary code if developers failed to sanitize user input before sending it to `json-ptr`. If your code does not sanitize user input before sending it to `json-ptr`, your project is vulnerable and you should upgrade to v3.0.0 immediately. And while your at it, start sanitized user input before sending it to any library!
+
+## Breaking Changes at v1.3.0
+
+As was rightly pointed out in [this issue](https://github.com/flitbit/json-ptr/issues/24), I should have rolled the major version at `v1.3.0` instead of the minor version due to [breaking changes to the API](#user-content-where-did-the-global-functions-go). Not the worst blunder I've made, but my apologies all the same. Since the ship has sailed, I'm boosting the visibility of these breaking changes.
+
 ### Where did the Global Functions Go?
 
 In version `v1.3.0` of the library, global functions were moved to static functions of the `JsonPointer` class. There should be no difference in arguments or behavior. If you were previously importing the global functions it is a small change to destructure them and have compatible code.
 
-| Global Fn | Static Fn | Documentation |
-|---|---|---|
-| `create()`| `JsonPointer.create()`          | [Factory function that creates a `JsonPointer`](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#create)                                                                                                        |
+| Global Fn           | Static Fn                       | Documentation                                                                                                                                                                                                                           |
+| ------------------- | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `create()`          | `JsonPointer.create()`          | [Factory function that creates a `JsonPointer`](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#create)                                                                                                        |
 | `decode()`          | `JsonPointer.decode()`          | [Decodes the specified pointer into path segments.](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#decode)                                                                                                    |
 | `flatten()`         | `JsonPointer.flatten()`         | [DEvaluates the target's object graph, returning a Record&lt;Pointer, unknown> populated with pointers and the corresponding values from the graph..](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#flatten) |
 | `get()`             | `JsonPointer.get()`             | [Gets the target object's value at the pointer's location.](http://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#get)                                                                                               |
@@ -241,54 +255,63 @@ It is important to recognize in the performance results that _compiled_ options
 
 ## Releases
 
+- 2021-10-26 — **3.0.0** **Potential Security Vulnerability Patched**
+  - When setting a value on an object graph, a developer could purposely use `json-ptr` to pollute an object's prototype by passing invalid path segments to the set/unset operations. This behavior has been disallowed.
 - 2021-05-14 — **2.2.0** _Added Handling for Relative JSON Pointers_
   - [Example usage](https://github.com/flitbit/json-ptr/blob/487182100a08f4ddc7713e42ec063bbd5ce2c34c/examples/relative.js)
 - 2021-05-12 — **2.1.1** _Bug fix for [#36](https://github.com/flitbit/json-ptr/issues/36)_
   - @CarolynWebster reported an unintentional behavior change starting at v1.3.0. An operation involving a pointer/path that crossed a null value in the object graph resulted in an exception. In versions prior to v1.3.0 it returned `undefined` as intended. The original behavior has been restored.
 - 2021-05-12 — **2.1.0** _Bug fixes for [#28](https://github.com/flitbit/json-ptr/issues/28) and [#30](https://github.com/flitbit/json-ptr/issues/30); **Security Vulnerability Patched**_
-  - When compiling the accessors for quickly points in an object graph, the `.get()` method was not properly delimiting single quotes. This error caused the get operation to throw an exception in during normal usage. Worse, in cases where malicious user input was sent directly to `json-ptr`, the failure to delimit single quotes allowed the execution of arbitrary code (an injection attack). The first of these issues was reported in #28 by @mprast, the second (vulnerability) by @zpbrent. Thanks also to @elimumford for the actual code used for the fix.
+
+  - When compiling the accessors for quickly accessing points in an object graph, the `.get()` method was not properly delimiting single quotes. This error caused the get operation to throw an exception in during normal usage. Worse, in cases where malicious user input was sent directly to `json-ptr`, the failure to delimit single quotes allowed the execution of arbitrary code (an injection attack). The first of these issues was reported in #28 by @mprast, the second (vulnerability) by @zpbrent. Thanks also to @elimumford for the actual code used for the fix.
 
   - If your code sent un-sanitized user input to the `.get()` method of `json-ptr`, your project was susceptible to this security vulnerability!
- 
+
 - 2020-10-21 — **2.0.0** _*Breaking Change*_
   - Prototype pollution using this library is now disallowed and will throw an error. I've been looking into the origin of this issue and it seems to have been disclosed by mohan on [huntr.dev](https://www.huntr.dev/bounties/1-npm-json-ptr/). I received [a PR from](https://github.com/flitbit/json-ptr/pull/26) [@luci-m-666](https://github.com/luci-m-666), but found [another PR](https://github.com/418sec/json-ptr/pull/1) by [@alromh87](https://github.com/alromh87) that looks like the origin of the solution. Don't know who to thank, but thanks all -- somebody is due a bounty.
   - Just in case somebody was relying on `json-ptr` to support pointers across the prototype, I'm rolling the major version number because you're now broken.
 
 > BEWARE of [Breaking Changes at v1.3.0!](#user-content-where-did-the-global-functions-go)
 
--   2020-07-20 — **1.3.2**
-    -   Added missing `tslib` dependency.
-    -   Documented [where the global functions are now located; moving them broke compatibility at v1.3.0](#user-content-where-did-the-global-functions-go).
+- 2020-07-20 — **1.3.2**
+
+  - Added missing `tslib` dependency.
+  - Documented [where the global functions are now located; moving them broke compatibility at v1.3.0](#user-content-where-did-the-global-functions-go).
+
+- 2020-07-10 — **1.3.0** **BREAKING CHANGES**
+
+  - **BREAKING CHANGE:** Global functions are now static functions on the `JsonPointer` type. See [_Where did the Global Functions Go?_](#user-content-where-did-the-global-functions-go)
+  - Merged new `.unset()` function contributed by @chrishalbert, updated dependencies.
+  - Migrated to typescript and retooled build/test/deploy pipeline. Definitely typed.
+  - 100% test coverage which illuminated some idiosyncrasies; maybe we killed unobserved bugs, nobody knows.
+
+- 2019-09-14 — **1.2.0**
+
+  - Merged new `.concat` function contributed by @vuwuv, updated dependencies.
+
+- 2019-03-10 — **1.1.2**
 
+  - Updated packages to remove critical security concern among dev dependencies'
 
--   2020-07-10 — **1.3.0** **BREAKING CHANGES**
-    -   **BREAKING CHANGE:** Global functions are now static functions on the `JsonPointer` type. See [_Where did the Global Functions Go?_](#user-content-where-did-the-global-functions-go)
-    -   Merged new `.unset()` function contributed by @chrishalbert, updated dependencies.
-    -   Migrated to typescript and retooled build/test/deploy pipeline. Definitely typed.
-    -   100% test coverage which illuminated some idiosyncrasies; maybe we killed unobserved bugs, nobody knows.
+- 2016-07-26 — **1.0.1**
 
--   2019-09-14 — **1.2.0**
-    -   Merged new `.concat` function contributed by @vuwuv, updated dependencies.
+  - Fixed a problem with the Babel configuration
 
--   2019-03-10 — **1.1.2**
-    -   Updated packages to remove critical security concern among dev dependencies'
+- 2016-01-12 — **1.0.0**
 
--   2016-07-26 — **1.0.1**
-    -   Fixed a problem with the Babel configuration
+  - Rolled major version to 1 to reflect breaking change in `.list(obj, fragmentId)`.
 
--   2016-01-12 — **1.0.0**
-    -   Rolled major version to 1 to reflect breaking change in `.list(obj, fragmentId)`.
+- 2016-01-02 — **0.3.0**
 
--   2016-01-02 — **0.3.0**
-    -   Retooled for node 4+
-    -   Better compiled pointers
-    -   Unrolled recursive `.list` function
-    -   Added `.map` function
-    -   Fully linted
-    -   Lots more tests and examples.
-    -   Documented many previously undocumented features.
+  - Retooled for node 4+
+  - Better compiled pointers
+  - Unrolled recursive `.list` function
+  - Added `.map` function
+  - Fully linted
+  - Lots more tests and examples.
+  - Documented many previously undocumented features.
 
--   2014-10-21 — **0.2.0**  Added #list function to enumerate all properties in a graph, producing fragmentId/value pairs.
+- 2014-10-21 — **0.2.0** Added #list function to enumerate all properties in a graph, producing fragmentId/value pairs.
 
 ## License
 
 
@@ -0,0 +1 @@
+TypeDoc added this file to prevent GitHub Pages from using Jekyll. You can turn off this behavior by setting the `githubPages` option to false.
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`/*/.js`
`2`	`2`	`dist/`
	`3`	`+examples/`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-Copyright (c) 2011-2018 Phillip Clark`
	`1`	`+Copyright (c) 2011-2021 Phillip Clark`
`2`	`2`
`3`	`3`	`Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+TypeDoc added this file to prevent GitHub Pages from using Jekyll. You can turn off this behavior by setting the `githubPages` option to false.