@apidevtools/json-schema-ref-parser 11.1.0 → 11.2.0

package/README.md

@@ -1,7 +1,5 @@
 # JSON Schema $Ref Parser
 
-_**This package needs [a new maintainer](https://github.com/APIDevTools/json-schema-ref-parser/issues/285) or at least some contributors. For more information [please read this article](https://phil.tech/2022/bundling-openapi-with-javascript/). As of v10.0.0 I am no longer spending any time working on this tool, so I can focus on scaling up my [reforestation charity](https://protect.earth/) instead of burning myself out trying to maintain a whole load of OSS projects I don't use in my vanishingly small spare time. Get in touch if you'd like to take over.** - [Phil Sturgeon](https://github.com/philsturgeon)_
-
 #### Parse, Resolve, and Dereference JSON Schema $ref pointers
 
 [![Build Status](https://github.com/APIDevTools/json-schema-ref-parser/workflows/CI-CD/badge.svg?branch=master)](https://github.com/APIDevTools/json-schema-ref-parser/actions)

package/dist/lib/bundle.js

@@ -136,17 +136,17 @@ function inventory$Ref($refParent, $refKey, path, pathFromRoot, indirections, in
         }
     }
     inventory.push({
-        $ref,
-        parent: $refParent,
-        key: $refKey,
-        pathFromRoot,
-        depth,
-        file,
-        hash,
-        value: pointer.value,
-        circular: pointer.circular,
-        extended,
-        external,
+        $ref, // The JSON Reference (e.g. {$ref: string})
+        parent: $refParent, // The object that contains this $ref pointer
+        key: $refKey, // The key in `parent` that is the $ref pointer
+        pathFromRoot, // The path to the $ref pointer, from the JSON Schema root
+        depth, // How far from the JSON Schema root is this $ref pointer?
+        file, // The file that the $ref pointer resolves to
+        hash, // The hash within `file` that the $ref pointer resolves to
+        value: pointer.value, // The resolved value of the $ref pointer
+        circular: pointer.circular, // Is this $ref pointer DIRECTLY circular? (i.e. it references itself)
+        extended, // Does this $ref extend its resolved value? (i.e. it has extra properties, in addition to "$ref")
+        external, // Does this $ref pointer point to a file other than the main JSON Schema file?
         indirections, // The number of indirect references that were traversed to resolve the value
     });
     // Recursively crawl the resolved value

package/dist/lib/dereference.js

@@ -89,7 +89,7 @@ function crawl(obj, path, pathFromRoot, parents, processedObjects, dereferencedC
                         if (obj[key] !== dereferenced.value) {
                             obj[key] = dereferenced.value;
                             if (options.dereference.onDereference) {
-                                options.dereference.onDereference(value.$ref, obj[key]);
+                                options.dereference.onDereference(value.$ref, obj[key], obj, key);
                             }
                         }
                     }

package/dist/lib/options.d.ts

@@ -65,10 +65,12 @@ interface $RefParserOptions {
         /**
          * Callback invoked during dereferencing.
          *
-         * @argument {string} path The path being dereferenced (ie. the `$ref` string).
-         * @argument {JSONSchemaObject} object The JSON-Schema that the `$ref` resolved to.
+         * @argument {string} path - The path being dereferenced (ie. the `$ref` string)
+         * @argument {JSONSchemaObject} value - The JSON-Schema that the `$ref` resolved to
+         * @argument {JSONSchemaObject} parent - The parent of the dereferenced object
+         * @argument {string} parentPropName - The prop name of the parent object whose value was dereferenced
          */
-        onDereference?(path: string, value: JSONSchemaObject): void;
+        onDereference?(path: string, value: JSONSchemaObject, parent?: JSONSchemaObject, parentPropName?: string): void;
         /**
          * Whether a reference should resolve relative to its directory/path, or from the cwd
          *

package/dist/lib/options.js

@@ -91,7 +91,8 @@ exports.getNewOptions = getNewOptions;
  */
 function merge(target, source) {
     if (isMergeable(source)) {
-        const keys = Object.keys(source);
+        // prevent prototype pollution
+        const keys = Object.keys(source).filter((key) => !["__proto__", "constructor", "prototype"].includes(key));
         for (let i = 0; i < keys.length; i++) {
             const key = keys[i];
             const sourceSetting = source[key];

package/dist/lib/parsers/yaml.js

@@ -21,7 +21,7 @@ exports.default = {
      * Parsers that don't match will be skipped, UNLESS none of the parsers match, in which case
      * every parser will be tried.
      */
-    canParse: [".yaml", ".yml", ".json"],
+    canParse: [".yaml", ".yml", ".json"], // JSON is valid YAML
     /**
      * Parses the given file as YAML
      *

package/dist/lib/pointer.js

@@ -68,11 +68,11 @@ class Pointer {
         // Crawl the object, one token at a time
         this.value = unwrapOrThrow(obj);
         for (let i = 0; i < tokens.length; i++) {
-            if (resolveIf$Ref(this, options)) {
+            if (resolveIf$Ref(this, options, pathFromRoot)) {
                 // The $ref path has changed, so append the remaining tokens to the path
                 this.path = Pointer.join(this.path, tokens.slice(i));
             }
-            if (typeof this.value === "object" && this.value !== null && "$ref" in this.value) {
+            if (typeof this.value === "object" && this.value !== null && !isRootPath(pathFromRoot) && "$ref" in this.value) {
                 return this;
             }
             const token = tokens[i];
@@ -86,7 +86,7 @@ class Pointer {
         }
         // Resolve the final value
         if (!this.value || (this.value.$ref && url.resolve(this.path, this.value.$ref) !== pathFromRoot)) {
-            resolveIf$Ref(this, options);
+            resolveIf$Ref(this, options, pathFromRoot);
         }
         return this;
     }
@@ -190,13 +190,14 @@ class Pointer {
  *
  * @param pointer
  * @param options
+ * @param [pathFromRoot] - the path of place that initiated resolving
  * @returns - Returns `true` if the resolution path changed
  */
-function resolveIf$Ref(pointer, options) {
+function resolveIf$Ref(pointer, options, pathFromRoot) {
     // Is the value a JSON reference? (and allowed?)
     if (ref_js_1.default.isAllowed$Ref(pointer.value, options)) {
         const $refPath = url.resolve(pointer.path, pointer.value.$ref);
-        if ($refPath === pointer.path) {
+        if ($refPath === pointer.path && !isRootPath(pathFromRoot)) {
             // The value is a reference to itself, so there's nothing to do.
             pointer.circular = true;
         }
@@ -254,3 +255,6 @@ function unwrapOrThrow(value) {
     }
     return value;
 }
+function isRootPath(pathFromRoot) {
+    return typeof pathFromRoot == "string" && Pointer.parse(pathFromRoot).length == 0;
+}

package/dist/lib/resolvers/http.js

@@ -44,7 +44,7 @@ exports.default = {
     /**
      * HTTP request timeout (in milliseconds).
      */
-    timeout: 5000,
+    timeout: 5000, // 5 seconds
     /**
      * The maximum number of HTTP redirects to follow.
      * To disable automatic following of redirects, set this to zero.

package/dist/lib/util/convert-path-to-posix.js

@@ -9,6 +9,6 @@ function convertPathToPosix(filePath) {
     if (isExtendedLengthPath) {
         return filePath;
     }
-    return filePath.split(path_1.default.win32.sep).join(path_1.default.posix.sep);
+    return filePath.split(path_1.default?.win32?.sep).join(path_1.default.posix.sep);
 }
 exports.default = convertPathToPosix;

package/lib/dereference.ts

@@ -107,7 +107,7 @@ function crawl(
             if (obj[key] !== dereferenced.value) {
               obj[key] = dereferenced.value;
               if (options.dereference.onDereference) {
-                options.dereference.onDereference(value.$ref, obj[key]);
+                options.dereference.onDereference(value.$ref, obj[key], obj, key);
               }
             }
           } else {

package/lib/options.ts

@@ -79,10 +79,12 @@ interface $RefParserOptions {
     /**
      * Callback invoked during dereferencing.
      *
-     * @argument {string} path The path being dereferenced (ie. the `$ref` string).
-     * @argument {JSONSchemaObject} object The JSON-Schema that the `$ref` resolved to.
+     * @argument {string} path - The path being dereferenced (ie. the `$ref` string)
+     * @argument {JSONSchemaObject} value - The JSON-Schema that the `$ref` resolved to
+     * @argument {JSONSchemaObject} parent - The parent of the dereferenced object
+     * @argument {string} parentPropName - The prop name of the parent object whose value was dereferenced
      */
-    onDereference?(path: string, value: JSONSchemaObject): void;
+    onDereference?(path: string, value: JSONSchemaObject, parent?: JSONSchemaObject, parentPropName?: string): void;
 
     /**
      * Whether a reference should resolve relative to its directory/path, or from the cwd
@@ -180,7 +182,8 @@ export type ParserOptions = DeepPartial<$RefParserOptions>;
  */
 function merge(target: any, source: any) {
   if (isMergeable(source)) {
-    const keys = Object.keys(source);
+    // prevent prototype pollution
+    const keys = Object.keys(source).filter((key) => !["__proto__", "constructor", "prototype"].includes(key));
     for (let i = 0; i < keys.length; i++) {
       const key = keys[i];
       const sourceSetting = source[key];

package/lib/pointer.ts

@@ -83,12 +83,12 @@ class Pointer {
     this.value = unwrapOrThrow(obj);
 
     for (let i = 0; i < tokens.length; i++) {
-      if (resolveIf$Ref(this, options)) {
+      if (resolveIf$Ref(this, options, pathFromRoot)) {
         // The $ref path has changed, so append the remaining tokens to the path
         this.path = Pointer.join(this.path, tokens.slice(i));
       }
 
-      if (typeof this.value === "object" && this.value !== null && "$ref" in this.value) {
+      if (typeof this.value === "object" && this.value !== null && !isRootPath(pathFromRoot) && "$ref" in this.value) {
         return this;
       }
 
@@ -103,7 +103,7 @@ class Pointer {
 
     // Resolve the final value
     if (!this.value || (this.value.$ref && url.resolve(this.path, this.value.$ref) !== pathFromRoot)) {
-      resolveIf$Ref(this, options);
+      resolveIf$Ref(this, options, pathFromRoot);
     }
 
     return this;
@@ -224,15 +224,16 @@ class Pointer {
  *
  * @param pointer
  * @param options
+ * @param [pathFromRoot] - the path of place that initiated resolving
  * @returns - Returns `true` if the resolution path changed
  */
-function resolveIf$Ref(pointer: any, options: any) {
+function resolveIf$Ref(pointer: any, options: any, pathFromRoot?: any) {
   // Is the value a JSON reference? (and allowed?)
 
   if ($Ref.isAllowed$Ref(pointer.value, options)) {
     const $refPath = url.resolve(pointer.path, pointer.value.$ref);
 
-    if ($refPath === pointer.path) {
+    if ($refPath === pointer.path && !isRootPath(pathFromRoot)) {
       // The value is a reference to itself, so there's nothing to do.
       pointer.circular = true;
     } else {
@@ -294,3 +295,7 @@ function unwrapOrThrow(value: any) {
 
   return value;
 }
+
+function isRootPath(pathFromRoot: any): boolean {
+  return typeof pathFromRoot == "string" && Pointer.parse(pathFromRoot).length == 0;
+}

package/lib/util/convert-path-to-posix.ts

@@ -7,5 +7,5 @@ export default function convertPathToPosix(filePath: string) {
     return filePath;
   }
 
-  return filePath.split(path.win32.sep).join(path.posix.sep);
+  return filePath.split(path?.win32?.sep).join(path.posix.sep);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apidevtools/json-schema-ref-parser",
-  "version": "11.1.0",
+  "version": "11.2.0",
   "description": "Parse, Resolve, and Dereference JSON Schema $ref pointers",
   "keywords": [
     "json",
@@ -57,7 +57,7 @@
   "scripts": {
     "prepublishOnly": "yarn build",
     "lint": "eslint lib",
-    "build": "rm -fr dist/* && tsc",
+    "build": "rimraf dist && tsc",
     "typecheck": "tsc --noEmit",
     "prettier": "prettier --write \"**/*.+(js|jsx|ts|tsx|har||json|css|md)\"",
     "test": "vitest --coverage",
@@ -67,33 +67,34 @@
     "test:watch": "vitest -w"
   },
   "devDependencies": {
-    "@types/eslint": "8.44.2",
-    "@types/js-yaml": "^4.0.6",
-    "@types/node": "^20.6.2",
-    "@typescript-eslint/eslint-plugin": "^6.7.2",
-    "@typescript-eslint/eslint-plugin-tslint": "^6.7.2",
-    "@typescript-eslint/parser": "^6.7.2",
-    "@vitest/coverage-v8": "^0.34.4",
+    "@types/eslint": "8.56.5",
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^20.11.24",
+    "@typescript-eslint/eslint-plugin": "^7.1.1",
+    "@typescript-eslint/eslint-plugin-tslint": "^7.0.2",
+    "@typescript-eslint/parser": "^7.1.1",
+    "@vitest/coverage-v8": "^1.3.1",
     "abortcontroller-polyfill": "^1.7.5",
     "cross-env": "^7.0.3",
-    "eslint": "^8.49.0",
-    "eslint-config-prettier": "^9.0.0",
+    "eslint": "^8.57.0",
+    "eslint-config-prettier": "^9.1.0",
     "eslint-config-standard": "^17.1.0",
-    "eslint-plugin-import": "^2.28.1",
-    "eslint-plugin-prettier": "^5.0.0",
+    "eslint-plugin-import": "^2.29.1",
+    "eslint-plugin-prettier": "^5.1.3",
     "eslint-plugin-promise": "^6.1.1",
-    "eslint-plugin-unused-imports": "^3.0.0",
-    "jsdom": "^22.1.0",
-    "lint-staged": "^14.0.1",
+    "eslint-plugin-unused-imports": "^3.1.0",
+    "jsdom": "^24.0.0",
+    "lint-staged": "^15.2.2",
     "node-fetch": "^3.3.2",
-    "prettier": "^3.0.3",
-    "typescript": "^5.2.2",
-    "vitest": "^0.34.4"
+    "prettier": "^3.2.5",
+    "rimraf": "^5.0.5",
+    "typescript": "^5.3.3",
+    "vitest": "^1.3.1"
   },
   "dependencies": {
     "@jsdevtools/ono": "^7.1.3",
-    "@types/json-schema": "^7.0.13",
-    "@types/lodash.clonedeep": "^4.5.7",
+    "@types/json-schema": "^7.0.15",
+    "@types/lodash.clonedeep": "^4.5.9",
     "js-yaml": "^4.1.0",
     "lodash.clonedeep": "^4.5.0"
   },
@@ -107,5 +108,6 @@
       "@semantic-release/npm",
       "@semantic-release/github"
     ]
-  }
+  },
+  "packageManager": "yarn@4.1.1"
 }