json-repair 0.11.1 → 0.11.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 288e3502829f51d11dbf2c3a9ab45f04dd44a1fa9ae5e00c1537f47c215aad96
-  data.tar.gz: 1ab99e5121ef3e73066157569bd85379a527cc1f44ecd7087d4f058133c4fcf0
+  metadata.gz: 69085d74f416811c4ac11ca7cfe2e9545a6cecdaeb32de96532932c99ab4aaf3
+  data.tar.gz: 4deee8e6715200ae693144a2c8cab914b9e8c78c3b539671f7632ce39d7b77f3
 SHA512:
-  metadata.gz: ffc4cd085d9a6aa5b45f3ee605a0fa043e20c68d63fdaab5c736acecbb17f160066d4412a76496300614545577d74d5ca4b232d4354adf625913753f8c0e8477
-  data.tar.gz: 190ea601a010b401fdf0c6aa52670a030ce81d39ebcd1af1f81c9fb2399baf6d074f3135b3b05814d1bcfcd24db53321a779b760c8eebe8d5a9ce2e029476754
+  metadata.gz: 31242bd165c070b1836d85a3fca120b5853a6e1ed715dbaeb75aa026563e033a7af491e318c119f3f3f899c4a7bb55382fc998372d7b55953358dc95d9c526be
+  data.tar.gz: b8a5a58a36d1c2b36922205f2b3b8d33e89e570fc215ed02ef288577a8d1325d96fa21cda9267ca78f44754b00a3150e5f6d149d6087c9f020e23090d47a13f2

data/.rubocop.yml

@@ -1,5 +1,15 @@
+# Merge our Exclude lists with RuboCop's defaults (vendor/**/*, tmp/**/*, …)
+# instead of replacing them — CI vendors gems into vendor/bundle, which
+# RuboCop must keep skipping.
+inherit_mode:
+  merge:
+    - Exclude
+
 AllCops:
   TargetRubyVersion: 3.0
+  Exclude:
+    # gitignored local planning notes and scratch tooling (see CLAUDE.md)
+    - docs/**/*
 
 Style/Documentation:
   Enabled: false

data/CHANGELOG.md

@@ -1,6 +1,49 @@
 # Changes
 
-### 2026-06-12 (0.11.1)
+### 2026-06-12 (0.11.3)
+
+* Fix infinite recursion (`SystemStackError`) on a quoted string
+  followed by a backslash-escaped delimiter, like `["y"\, "z"]`. The
+  missing-end-quote retry in `parse_string` stops at the comma it
+  detected in the first pass, but the invalid-escape repair consumed
+  `\,` as one two-character step, jumping over the stop index and
+  re-firing the retry with identical arguments forever — violating the
+  contract that `JSONRepairError` is the only error raised. The escaped
+  delimiter now ends the string there and the dangling backslash is
+  dropped (the standard invalid-escape repair): `["y"\, "z"]` →
+  `["y\"","z"]`. The stop-index check is also hardened from `==` to
+  `>=` so no future multi-character advance can step over it and
+  recurse. Deliberate divergence from upstream
+  [jsonrepair](https://github.com/josdejong/jsonrepair), which crashes
+  with "Maximum call stack size exceeded" on the same input as of
+  v3.14.0 (still its latest release). Found by differential fuzzing
+  during the 0.11.2 work and re-validated the same way: across a
+  240-input grid of escape-adjacent shapes, only previously-crashing
+  inputs changed behavior — object shapes like `{"k": "y"\, "z"}` now
+  raise the same "Colon expected" as their backslash-free analog
+  `{"k": "y", "z"}`. Benchmarks flat vs 0.11.2.
+
+### 2026-06-12 (0.11.2)
+
+* Fix the 0.11.0 doubled-colon repair silently mangling objects with a
+  stray junk word between pairs. `{"value_1": true, COMMENT "value_2":
+  "data"}` returned `{"value_1":true,"COMMENT":"value_2\": \"data"}`
+  (the junk word became a key and swallowed the real pair), and
+  `{ "key": "value" COMMENT "key2": "value2" }` returned a single
+  glued string value. Both shapes now raise "Object key expected"
+  again at the same positions as upstream
+  [jsonrepair](https://github.com/josdejong/jsonrepair) v3.14.0,
+  restoring the pre-0.11.0 behavior: the merge is skipped when the
+  pair already needed a missing-colon repair or the value string was
+  itself salvaged by the unescaped-quote repair — signals that the
+  pair was malformed in a way the merge would compound, not fix. The
+  salvage signal survives string concatenation: in
+  `{"a": "b" x "c" + "d": "e"}` the `+ "d"` segment no longer clears
+  it (caught in review by Copilot). All
+  0.11.0 repairs (canonical, greedy, escaped quotes, unquoted
+  keys/values) are unchanged. Go and Python `json_repair` instead
+  drop the junk word; we deliberately keep raising rather than
+  silently discarding input (see the 0.11.0 note).
 
 * Fix a `TypeError` crash on input ending in a lone backslash inside a
   string: `"abc\` now repairs to `"abc"` (likewise `"\` → `""`,

data/lib/json/repair/version.rb

@@ -2,6 +2,6 @@
 
 module JSON
   module Repair
-    VERSION = '0.11.1'
+    VERSION = '0.11.3'
   end
 end

data/lib/json/repairer.rb

@@ -32,6 +32,7 @@ module JSON
       @json = json
       @index = 0
       @output = +''
+      @repaired_unescaped_quote = false
     end
 
     def repair
@@ -295,8 +296,14 @@ module JSON
         end
 
         # repair: an object string value with unescaped quotes around a
-        # colon, like {"a": "b": "c"}
-        repair_doubled_colon if processed_value
+        # colon, like {"a": "b": "c"}. Skipped when this pair already
+        # needed a repair that makes the merge compound garbage: a
+        # missing colon (the "key" was a stray junk word, like
+        # {"v1": true, COMMENT "v2": "data"}) or a value glued together
+        # by the unescaped-quote repair (like
+        # {"k": "v" COMMENT "k2": "v2"}); both keep raising, matching
+        # upstream
+        repair_doubled_colon if processed_value && processed_colon && !@repaired_unescaped_quote
       end
 
       if @json[@index] == CLOSING_BRACE
@@ -315,9 +322,13 @@ module JSON
     # (the unescaped-quotes reading of the input). Greedy: keeps merging
     # while another `: "..."` follows. Only the string-colon-string
     # shape is repaired; anything else falls through to the regular
-    # error paths. Divergence from upstream (which raises "Object key
-    # expected" as of v3.14.0), matching the Go and Python json-repair
-    # libraries on the canonical case.
+    # error paths. The call site additionally requires the pair's colon
+    # to be present in the input and the value string to have parsed
+    # without the unescaped-quote repair (@repaired_unescaped_quote) —
+    # when either repair already fired, the pair was malformed in a way
+    # this merge would compound, not fix. Divergence from upstream
+    # (which raises "Object key expected" as of v3.14.0), matching the
+    # Go and Python json-repair libraries on the canonical case.
     def repair_doubled_colon
       loop do
         colon = @index
@@ -399,6 +410,9 @@ module JSON
     #   and fixing the string by inserting a quote there, or stopping at a
     #   stop index detected in the first iteration.
     def parse_string(stop_at_delimiter: false, stop_at_index: -1)
+      # fresh parse (the backtracking re-invocations below rebuild the
+      # string from scratch, so they reset too); see repair_doubled_colon
+      @repaired_unescaped_quote = false
       skip_escape_chars = @json[@index] == BACKSLASH
       if skip_escape_chars
         # repair: remove the first escape character
@@ -449,7 +463,13 @@ module JSON
           return true
         end
 
-        if @index == stop_at_index
+        # >= with a sentinel guard, not ==. Divergence from upstream (which
+        # compares with == as of v3.14.0): a multi-character advance below
+        # can step over the stop index, and resuming the comma-path retry
+        # from beyond it would re-fire that retry with identical arguments
+        # forever. The invalid-escape repair below avoids the only known
+        # overshoot; this is the backstop guaranteeing termination.
+        if stop_at_index >= 0 && @index >= stop_at_index
           # use the stop index detected in the first iteration, and repair end quote
           str = insert_before_last_whitespace(str, '"')
           @output << str
@@ -508,6 +528,7 @@ module JSON
 
           # repair unescaped quote
           str = "#{str[...o_quote]}\\#{str[o_quote..]}"
+          @repaired_unescaped_quote = true
         elsif stop_at_delimiter && unquoted_string_delimiter?(@json[@index])
           # we're in the mode to stop the string at the first delimiter
           # because there is an end quote missing
@@ -554,6 +575,15 @@ module JSON
             # repair a backslash escaped newline (like in Bash scripts)
             str << '\n'
             @index += 2
+          elsif @index + 1 == stop_at_index
+            # repair invalid escape character: remove it — but the escaped
+            # character is the delimiter the comma-path retry said to stop
+            # at, so drop only the backslash and let the stop check above
+            # fire there, keeping the delimiter a delimiter. Divergence
+            # from upstream, which consumes both characters, jumps the stop
+            # index, and crashes ("Maximum call stack size exceeded" on
+            # inputs like `["y"\, "z"]` as of v3.14.0).
+            @index += 1
           else
             # repair invalid escape character: remove it
             str << char
@@ -807,7 +837,12 @@ module JSON
         # repair: remove the end quote of the first string
         @output = strip_last_occurrence(@output, '"', strip_remaining_text: true)
         start = @output.length
+        # the segments form one logical string value: keep the doubled-colon
+        # guard's flag set when an earlier segment needed the unescaped-quote
+        # repair (parse_string resets it on entry)
+        repaired_earlier_segment = @repaired_unescaped_quote
         parsed_str = parse_string
+        @repaired_unescaped_quote ||= repaired_earlier_segment
         @output = if parsed_str
                     # repair: remove the start quote of the second string
                     remove_at_index(@output, start, 1)

data/sig/json/repairer.rbs

@@ -15,6 +15,8 @@ module JSON
 
     @output: ::String
 
+    @repaired_unescaped_quote: bool
+
     include Repair::StringUtils
 
     CONTROL_CHARACTERS: ::Hash[::String, "\\b" | "\\f" | "\\n" | "\\r" | "\\t"]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json-repair
 version: !ruby/object:Gem::Version
-  version: 0.11.1
+  version: 0.11.3
 platform: ruby
 authors:
 - Aleksandr Zykov