- fix(eval): improve security of safe-eval (#233)
- chore: update deps. and devDeps.
- feat: add typeof operator to safe script
- fix(security): prevent
constructor
access - docs: add security policy file
- fix(security): prevent
call
/apply
invocation ofFunction
- fix: remove overly aggressive disabling of native functions but
disallow
__proto__
- fix(security): further prevent binding of Function calls which may evade detection
- fix(security): prevent binding of Function calls which may evade detection
- fix(security): prevent Function calls outside of member expressions
- fix(security): prohibit
Function
in "safe" vm
BREAKING CHANGES:
-
Require Node 18+
-
fix(security): use safe vm by default in Node
-
chore: bump jsep, devDeps. and lint
BREAKING CHANGES:
-
Removes
preventEval
property. Prefereval: false
instead. -
Changed behavior of
eval
property. In the browser,eval
/Function
won't be used by default to evaluate expressions. Instead, we'll safely evaluate using a subset of JavaScript. To resume using unsafe eval in the browser, pass in the optioneval: "native"
-
feat: add safe eval for browser and
eval
option (#185) (@80avin) -
feat: add
ignoreEvalErrors
property (@80avin)
- feat: add basic cli (#206) (@vid)
- Breaking change: Bump Node
engines
to 14 - feat: add support for nested filter expressions (@carlosingles)
- docs: update README and license (@akirataguchi115)
- docs: github workflow badge (@dsanch3z)
- perf: optimize walk method by 10%-34% (@jacobroschen)
- chore: add types to exports field (@awlayton)
- perf: improve evaluation speed of conditional queries (@jacobroschen)
- Breaking change: Bump
engines
to 12 - fix: remove
console.log
when error is thrown (@sh33dafi) - chore: update devDeps.
- Fix: Some
package.json
paths needed updating (@matushorvath) - npm: Update devDeps.
- Breaking enhancement: Create as true ESM module
- Breaking change: Utilize
.cjs
extension for UMD and CJS builds (very old browsers might not support, but needed with the change given that Webpack may complain if there even exists CJS within what it thinks is an ESM file, the ".js", our default) - Breaking change: Utilize
.js
extension instead of.mjs
for now default ESM builds
- npm: Add
lint
script - npm: Update devDeps.
- Enhancement: support double-quoted bracket notation
- Linting: As per latest ash-nazg
- npm: Update devDeps.
- Fix: Add
packge.json
toexports
(@sebastiendavid)
- Fix: Remove
static
modifiers (@sdolski) - Linting: As per latest ash-nazg
- npm: Update devDeps.
- Fix: Avoid cache corruption when the returned structure is modified. Fixes #102. (@tejodorus)
- Fix: allow falsey at values in filter (now may require checking for
presence of
@
in some cases); fixes #136 - Docs: Add old missing release info (reconciling with GitHub releases)
- Docs: Update README to reflect 1.2.0 was not a released version (subsume release details into 2.0.0)
- Linting: As per latest ash-nazg
- npm: Update devDeps.
- Fix: Add package exports for browser and umd (#145) (@gjvoosten)
- Update: Build as per refactoring
- Docs: Update as per typedoc update
- Docs: Update license badges per latest
- Linting: As per latest ash-nazg
- CI: Update from Travis -> GitHub Actions
- npm: Switch from
eslint-plugin-sonarjs
toeslint-plugin-radar
- npm: Switch to pnpm
- npm: Update devDeps.
- Fix: Proper Node CommonJS export; fixes #144
- Fix: Proper Node CommonJS export; fixes #143
- Docs: Properly indicate new browser paths
- Breaking change: Add
type: 'commonjs'
andexports: {import, require}
(withnode-import-test
npm script to demo) - Breaking change: Change paths for browser (now is
dist/index-browser-umd.js
ordist/index-browser-es.js
) (for Node,main
andmodule
point to new Node-specific dist) - Breaking enhancement: Add
browser
for browser bundling; allowing static analysis environments, doesn't have however conditional code to requirevm
); for ESM browser bundling, now must checkbrowser
in Rollup Node resolver plugin; see README - Build: Update per latest devDeps.
- Docs: Add Regex (
.match
) example on value (@jeffreypriebe) - Docs: Add Regex (
.match
) example on property - Docs: Fix XPath example (@humbertoc-silva)
- Docs: Link to XPath 2.0 tester
- Docs: Update badges per latest updates
- Linting: quote props
- Linting: As per latest ash-nazg
- Testing: Fix browser tests
- Testing: Add test case for setting values in callbacks (issue #126)
- Testing: Add more at-sign tests
- Testing: Bump timeout
- Travis: Check Node 14
- Travis: add default
dist
field to avoid extra config reporting - npm: Update from deprecated
rollup-plugin-babel
to@rollup/plugin-babel
(and makebabelHelpers
explicit) - npm: Reorder scripts by test execution order
- npm: Update devDeps
- Breaking change/fix: Disallow
resultType
from being lower-cased (brokeparentProperty
) - Breaking change: Expect Node >= 10
- Build: As per latest rollup
- Linting: Check hidden files; update as per latest ash-nazg
- Docs: Update coverage badge
- npm: Update devDeps
- Breaking change: Expect Node >= 8
- Fix: Require
json
as "own" property - Fix: wrap: false returning inconsistent data types (@CacheControl)
- Fix: Ensure throwing with a bad result type
- Fix: Allow empty string keys
- Fix: Avoid erring when value before parent selector is falsey
- Fix: If
resultType
is "all", if path resolves internally to a non-array (string), ensure it is converted to an array before converting to pointer forpointer
- Enhancement: Allow path as array in non-object signature
- Docs: Add locally-generated badges for testing, coverage, etc.
- Linting (ESLint): As per latest ash-nazg
- Linting (ESLint): Remove redundant "use strict" with switch to ESM
- Maintenance: 2 sp. for package.json
- Testing: Add nyc for coverage
- Testing: Test against source (using
esm
) - Testing: Improve coverage (more type operator tests)
- Testing: Check vm
- npm: Add
test-cov
script - npm: Update devDeps
- Breaking change: Throw
TypeError
instead ofError
for missingotherTypeCallback
when using@other
- Breaking change: Throw
TypeError
instead ofError
for missingpath
- Enhancement: Throw
TypeError
for missingjson
(fixes #110) - Enhancement: Use more efficient
new Function
overeval
; also allows use of cyclic context objects - Enhancement: Add
@root
filter selector - Maintenance: Add
.editorconfig
- Docs: Document options in jsdoc; add return values to callbacks; fix constructor doc sig.
- Testing: Add test for missing
path
orjson
- Testing: Remove unneeded closures
- npm: Update devDeps and
package-lock.json
- Enhancement: Add explicit 'any' to
evaluate()
declaration (for use withnoImplicitAny
TypeScript option) - Build: Update minified build files
- Travis: Update to check Node 6, 10, 12
- npm: Ignore
.idea
/.remarkrc
files - npm: Update devDeps (Babel, linting, Rollup, TypeScript related)
- npm: Avoid eslint script within test script
- npm: Ignore typescript docs
- Add TypeScript declaration
supportsNodeVM
check that works in GOJA, node and ReactNative. (@legander)
- npm: Avoid adding
core-js-bundle
as peerDep. (fixes #95)
- Build: Add
browserslist
for Babel builds - Linting: Conform to ESLint updates (jsdoc)
- Testing: Switch from end-of-lifed nodeunit to Mocha
- Testing: Add performance test to browser, but bump duration
- npm: Update devDeps; add core-js-bundle to peerDependencies
- npm: Ignore some unneeded files
- Bump Node version in Travis to avoid erring with object rest in eslint-plugin-node routine
- Docs (README): Indicate features, including performance (removing old note)
- Docs (README): Add headings for setup and fix headings levels
- Docs (README): Indicate parent selector was not present in original spec (not just not documented)
- Docs (README): Fix escaping
- Linting: Switch to Unix line breaks and other changes per ash-nazg, including linting Markdown JS
- Linting: Use recommended
.json
extension - Linting: Switch to ash-nazg
- Linting: Add lgtm.yml file for lgtm.com
- npm: Update devDeps, and update per security audit
- Fix: Expose
pointer
onresultType: "all"
- Security enhancement: Use global eval instead of regular eval
- Fix: Handle React-Native environment's lack of support for Node vm (@simon-scherzinger); closes #87
- Refactoring: Use arrow functions, for-of, declare block scope vars closer to block
- Docs: Clarify current
wrap
behavior - npm: Add Rollup to test scripts
- Breaking change: With Node use, must now use
require('jsonpath-plus').JSONPath
. - Breaking change: Stop including polyfills for array and string
includes
(can get with@babel/polyfill
or own) - Breaking change: Remove deprecated
JSONPath.eval
- License: Remove old and unneeded license portion from within source file (already have external file)
- Fix: Support object shorthand functions on sandbox objects
(
toString()
had not been working properly with them) - Enhancement: Add Rollup/Babel/Terser and
module
inpackage.json
- Refactoring: Use ES6 features such as object shorthand
- Linting: prefer const and no var
- Testing: Replace custom server code with
node-static
and addopn-cli
; mostly switch to ESM - npm: Update devDeps; add
package-lock.json
; remove non-functioning remark
- Breaking change: Give preference to treating special chars in a property as special (override with backtick operator)
- Breaking feature: Add custom ` operator to allow unambiguous literal sequences (if an initial backtick is needed, an additional one must now be added)
- Fix:
toPathArray
caching bug - Improvements: Performance optimizations
- Dev testing: Rename test file
- Fix: Fixing support for sandbox in the case of functions
- Feature: Use
this
if present for global export - Docs: Clarify function signature
- Docs: Update testing section
- Dev testing: Add in missing test for browser testing
- Dev testing: Add remark linting to testing process (#70)
- Dev testing: Lint JS test support files
- Dev testing: Split out tests into
eslint
,remark
,lint
,nodeunit
- Dev testing: Remove need for nodeunit build step
- Dev testing: Simplify nodeunit usage and make available
as
npm run browser-test
- Feature: Add
@scalar()
type operator (in JavaScript mode, will also include)
- Fix: Avoid double-encoding path in results
- Breaking change (from version 0.11): Silently strip
~
and^
operators and type operators such as@string()
inJSONPath.toPathString()
calls. - Breaking change: Remove
Array.isArray
polyfill as no longer supporting IE <= 8 - Feature: Allow omission of options first argument to
JSONPath
- Feature: Add
JSONPath.toPointer()
and "pointer"resultType
option. - Fix: Correctly support
callback
andotherTypeCallback
as numbered arguments toJSONPath
. - Fix: Enhance Node checking to avoid issue reported with angular-mock
- Fix: Allow for
@
or other special characters in at-sign-prefixed property names (by use of[?(@['...'])]
or[(@['...'])]
).
- Breaking change: Problems with upper-case letters in npm is causing us to rename the package, so have renamed package to "jsonpath-plus" (there are already package with lower-case "jsonpath" or "json-path"). The new name also reflects that there have been changes to the original spec.
- Docs: Actually add the warning in the README that problems in npm with upper-case letters is causing us to rename to "jsonpath-plus" (next version will actually apply the change).
- Docs: Give warning in README that problems in npm with upper-case letters is causing us to rename to "jsonpath-plus" (next version will actually apply the change).
- Breaking change: For unwrapped results, return
undefined
instead offalse
upon failure to find path (to allow distinguishing ofundefined
--a non-allowed JSON value--from the valid JSON values,null
orfalse
) and return the exact value upon falsy single results (in order to allow return ofnull
) - Deprecated: Use of
jsonPath.eval()
; use new class-based API instead - Feature: AMD export
- Feature: By using
self
instead ofwindow
export, allow JSONPath to be trivially imported into web workers, without breaking compatibility in normal scenarios. See MDN on self - Feature: Offer new class-based API and object-based arguments (with
option to run new queries via
evaluate()
method without resupplying config) - Feature: Allow new
preventEval=true
andautostart=false
option - Feature: Allow new callback option to allow a callback function to execute as each final result node is obtained
- Feature: Allow type operators: JavaScript types (
@boolean()
,@number()
,@string()
), other fundamental JavaScript types (@null()
,@object()
,@array()
), the JSONSchema-added type,@integer()
, and the following non-JSON types that can nevertheless be used with JSONPath when querying non-JSON JavaScript objects (@undefined()
,@function()
,@nonFinite()
). Finally,@other()
is made available in conjunction with a new callback option,otherTypeCallback
, can be used to allow user-defined type detection (at least until JSON Schema awareness may be provided). - Feature: Support "parent" and "parentProperty" for resultType along with "all" (which also includes "path" and "value" together)
- Feature: Support custom
@parent
,@parentProperty
,@property
(in addition to custom property@path
) inside evaluations - Feature: Support a custom operator (
~
) to allow grabbing of property names - Feature: Support
$
for retrieval of root, and document this as well as$..
behavior - Feature: Expose cache on
JSONPath.cache
for those who wish to preserve and reuse it - Feature: Expose class methods
toPathString
for converting a path as array into a (normalized) path as string andtoPathArray
for the reverse (though accepting unnormalized strings as well as normalized) - Fix: Allow
^
as property name - Fix: Support
.
within properties - Fix:
@path
in index/property evaluations
- Feature: Support for parent selection via
^
- Feature: Access current path via
@path
in test statements - Feature: Allowing for multi-statement evals
- Improvements: Performance
- Feature: Support a sandbox arg to eval
- Improvements: Use
vm.runInNewContext
in place of eval