npm - @orpc/openapi-client - Versions diffs - 1.6.5 → 1.6.6 - Mend

@orpc/openapi-client 1.6.5 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/adapters/fetch/index.d.mts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { ClientContext } from '@orpc/client';
 import { LinkFetchClientOptions } from '@orpc/client/fetch';
 import { AnyContractRouter } from '@orpc/contract';
-import { f as StandardOpenAPILinkOptions, g as StandardOpenAPILink } from '../../shared/openapi-client.Bc2pHPqD.mjs';
+import { g as StandardOpenAPILinkOptions, h as StandardOpenAPILink } from '../../shared/openapi-client.f2unmElJ.mjs';
 import '@orpc/client/standard';
 import '@orpc/shared';
 import '@orpc/standard-server';

package/dist/adapters/fetch/index.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { ClientContext } from '@orpc/client';
 import { LinkFetchClientOptions } from '@orpc/client/fetch';
 import { AnyContractRouter } from '@orpc/contract';
-import { f as StandardOpenAPILinkOptions, g as StandardOpenAPILink } from '../../shared/openapi-client.Bc2pHPqD.js';
+import { g as StandardOpenAPILinkOptions, h as StandardOpenAPILink } from '../../shared/openapi-client.f2unmElJ.js';
 import '@orpc/client/standard';
 import '@orpc/shared';
 import '@orpc/standard-server';

package/dist/adapters/fetch/index.mjs CHANGED Viewed

@@ -1,7 +1,7 @@
 import { LinkFetchClient } from '@orpc/client/fetch';
 import '@orpc/shared';
 import '@orpc/contract';
-import { b as StandardOpenAPILink } from '../../shared/openapi-client.Bix5hHnT.mjs';
+import { b as StandardOpenAPILink } from '../../shared/openapi-client.D3eD5ojB.mjs';
 import '@orpc/client';
 import '@orpc/client/standard';
 import '@orpc/standard-server';

package/dist/adapters/standard/index.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-export { S as StandardBracketNotationSerialized, a as StandardBracketNotationSerializer, c as StandardOpenAPICustomJsonSerializer, b as StandardOpenAPIJsonSerialized, e as StandardOpenAPIJsonSerializer, d as StandardOpenAPIJsonSerializerOptions, g as StandardOpenAPILink, f as StandardOpenAPILinkOptions, j as StandardOpenAPISerializeOptions, k as StandardOpenAPISerializer, i as StandardOpenapiLinkCodec, h as StandardOpenapiLinkCodecOptions } from '../../shared/openapi-client.Bc2pHPqD.mjs';
+export { S as StandardBracketNotationSerialized, b as StandardBracketNotationSerializer, a as StandardBracketNotationSerializerOptions, d as StandardOpenAPICustomJsonSerializer, c as StandardOpenAPIJsonSerialized, f as StandardOpenAPIJsonSerializer, e as StandardOpenAPIJsonSerializerOptions, h as StandardOpenAPILink, g as StandardOpenAPILinkOptions, k as StandardOpenAPISerializeOptions, l as StandardOpenAPISerializer, j as StandardOpenapiLinkCodec, i as StandardOpenapiLinkCodecOptions } from '../../shared/openapi-client.f2unmElJ.mjs';
 import { HTTPPath } from '@orpc/client';
 import '@orpc/client/standard';
 import '@orpc/contract';

package/dist/adapters/standard/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-export { S as StandardBracketNotationSerialized, a as StandardBracketNotationSerializer, c as StandardOpenAPICustomJsonSerializer, b as StandardOpenAPIJsonSerialized, e as StandardOpenAPIJsonSerializer, d as StandardOpenAPIJsonSerializerOptions, g as StandardOpenAPILink, f as StandardOpenAPILinkOptions, j as StandardOpenAPISerializeOptions, k as StandardOpenAPISerializer, i as StandardOpenapiLinkCodec, h as StandardOpenapiLinkCodecOptions } from '../../shared/openapi-client.Bc2pHPqD.js';
+export { S as StandardBracketNotationSerialized, b as StandardBracketNotationSerializer, a as StandardBracketNotationSerializerOptions, d as StandardOpenAPICustomJsonSerializer, c as StandardOpenAPIJsonSerialized, f as StandardOpenAPIJsonSerializer, e as StandardOpenAPIJsonSerializerOptions, h as StandardOpenAPILink, g as StandardOpenAPILinkOptions, k as StandardOpenAPISerializeOptions, l as StandardOpenAPISerializer, j as StandardOpenapiLinkCodec, i as StandardOpenapiLinkCodecOptions } from '../../shared/openapi-client.f2unmElJ.js';
 import { HTTPPath } from '@orpc/client';
 import '@orpc/client/standard';
 import '@orpc/contract';

package/dist/adapters/standard/index.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
-import { S as StandardBracketNotationSerializer } from '../../shared/openapi-client.Bix5hHnT.mjs';
-export { a as StandardOpenAPIJsonSerializer, b as StandardOpenAPILink, d as StandardOpenAPISerializer, c as StandardOpenapiLinkCodec, g as getDynamicParams, s as standardizeHTTPPath } from '../../shared/openapi-client.Bix5hHnT.mjs';
+import { S as StandardBracketNotationSerializer } from '../../shared/openapi-client.D3eD5ojB.mjs';
+export { a as StandardOpenAPIJsonSerializer, b as StandardOpenAPILink, d as StandardOpenAPISerializer, c as StandardOpenapiLinkCodec, g as getDynamicParams, s as standardizeHTTPPath } from '../../shared/openapi-client.D3eD5ojB.mjs';
 import { isSchemaIssue } from '@orpc/contract';
 import { isTypescriptObject } from '@orpc/shared';
 import '@orpc/client/standard';

package/dist/shared/{openapi-client.Bix5hHnT.mjs → openapi-client.D3eD5ojB.mjs} RENAMED Viewed

@@ -5,6 +5,10 @@ import { isContractProcedure, fallbackContractConfig, ORPCError } from '@orpc/co
 import { mergeStandardHeaders, ErrorEvent } from '@orpc/standard-server';
 class StandardBracketNotationSerializer {
+  maxArrayIndex;
+  constructor(options = {}) {
+    this.maxArrayIndex = options.maxBracketNotationArrayIndex ?? 9999;
+  }
   serialize(data, segments = [], result = []) {
     if (Array.isArray(data)) {
       data.forEach((item, i) => {
@@ -34,7 +38,7 @@ class StandardBracketNotationSerializer {
           currentRef[nextSegment] = [];
         }
         if (i !== segments.length - 1) {
-          if (Array.isArray(currentRef[nextSegment]) && !isValidArrayIndex(segment)) {
+          if (Array.isArray(currentRef[nextSegment]) && !isValidArrayIndex(segment, this.maxArrayIndex)) {
             if (arrayPushStyles.has(currentRef[nextSegment])) {
               arrayPushStyles.delete(currentRef[nextSegment]);
               currentRef[nextSegment] = pushStyleArrayToObject(currentRef[nextSegment]);
@@ -52,7 +56,7 @@ class StandardBracketNotationSerializer {
               if (arrayPushStyles.has(currentRef[nextSegment])) {
                 arrayPushStyles.delete(currentRef[nextSegment]);
                 currentRef[nextSegment] = pushStyleArrayToObject(currentRef[nextSegment]);
-              } else if (!isValidArrayIndex(segment)) {
+              } else if (!isValidArrayIndex(segment, this.maxArrayIndex)) {
                 currentRef[nextSegment] = arrayToObject(currentRef[nextSegment]);
               }
             }
@@ -127,8 +131,8 @@ class StandardBracketNotationSerializer {
     return inBrackets || segments.length === 0 ? [path] : segments;
   }
 }
-function isValidArrayIndex(value) {
-  return /^0$|^[1-9]\d*$/.test(value);
+function isValidArrayIndex(value, maxIndex) {
+  return /^0$|^[1-9]\d*$/.test(value) && Number(value) <= maxIndex;
 }
 function arrayToObject(array) {
   const obj = new NullProtoObj();
@@ -424,7 +428,7 @@ class StandardOpenAPISerializer {
 class StandardOpenAPILink extends StandardLink {
   constructor(contract, linkClient, options) {
     const jsonSerializer = new StandardOpenAPIJsonSerializer(options);
-    const bracketNotationSerializer = new StandardBracketNotationSerializer();
+    const bracketNotationSerializer = new StandardBracketNotationSerializer({ maxBracketNotationArrayIndex: 4294967294 });
     const serializer = new StandardOpenAPISerializer(jsonSerializer, bracketNotationSerializer);
     const linkCodec = new StandardOpenapiLinkCodec(contract, serializer, options);
     super(linkCodec, linkClient, options);

package/dist/shared/{openapi-client.Bc2pHPqD.d.mts → openapi-client.f2unmElJ.d.mts} RENAMED Viewed

@@ -5,7 +5,25 @@ import { Segment, Value, Promisable } from '@orpc/shared';
 import { StandardHeaders, StandardRequest, StandardLazyResponse } from '@orpc/standard-server';
 type StandardBracketNotationSerialized = [string, unknown][];
+interface StandardBracketNotationSerializerOptions {
+    /**
+     * Maximum allowed array index for bracket notation deserialization.
+     *
+     * This helps protect against memory exhaustion attacks where malicious input
+     * uses extremely large array indices (e.g., `?arr[4294967296]=value`).
+     *
+     * While bracket notation creates sparse arrays that handle large indices efficiently,
+     * downstream code might inadvertently convert these sparse arrays to dense arrays,
+     * potentially creating millions of undefined elements and causing memory issues.
+     *
+     * @note Only applies to deserialization.
+     * @default 9_999 (array with 10,000 elements)
+     */
+    maxBracketNotationArrayIndex?: number;
+}
 declare class StandardBracketNotationSerializer {
+    private readonly maxArrayIndex;
+    constructor(options?: StandardBracketNotationSerializerOptions);
     serialize(data: unknown, segments?: Segment[], result?: StandardBracketNotationSerialized): StandardBracketNotationSerialized;
     deserialize(serialized: StandardBracketNotationSerialized): Record<string, unknown> | unknown[];
     stringifyPath(segments: readonly Segment[]): string;
@@ -75,5 +93,5 @@ declare class StandardOpenAPILink<T extends ClientContext> extends StandardLink<
     constructor(contract: AnyContractRouter, linkClient: StandardLinkClient<T>, options: StandardOpenAPILinkOptions<T>);
 }
-export { StandardBracketNotationSerializer as a, StandardOpenAPIJsonSerializer as e, StandardOpenAPILink as g, StandardOpenapiLinkCodec as i, StandardOpenAPISerializer as k };
-export type { StandardBracketNotationSerialized as S, StandardOpenAPIJsonSerialized as b, StandardOpenAPICustomJsonSerializer as c, StandardOpenAPIJsonSerializerOptions as d, StandardOpenAPILinkOptions as f, StandardOpenapiLinkCodecOptions as h, StandardOpenAPISerializeOptions as j };
+export { StandardBracketNotationSerializer as b, StandardOpenAPIJsonSerializer as f, StandardOpenAPILink as h, StandardOpenapiLinkCodec as j, StandardOpenAPISerializer as l };
+export type { StandardBracketNotationSerialized as S, StandardBracketNotationSerializerOptions as a, StandardOpenAPIJsonSerialized as c, StandardOpenAPICustomJsonSerializer as d, StandardOpenAPIJsonSerializerOptions as e, StandardOpenAPILinkOptions as g, StandardOpenapiLinkCodecOptions as i, StandardOpenAPISerializeOptions as k };

package/dist/shared/{openapi-client.Bc2pHPqD.d.ts → openapi-client.f2unmElJ.d.ts} RENAMED Viewed

@@ -5,7 +5,25 @@ import { Segment, Value, Promisable } from '@orpc/shared';
 import { StandardHeaders, StandardRequest, StandardLazyResponse } from '@orpc/standard-server';
 type StandardBracketNotationSerialized = [string, unknown][];
+interface StandardBracketNotationSerializerOptions {
+    /**
+     * Maximum allowed array index for bracket notation deserialization.
+     *
+     * This helps protect against memory exhaustion attacks where malicious input
+     * uses extremely large array indices (e.g., `?arr[4294967296]=value`).
+     *
+     * While bracket notation creates sparse arrays that handle large indices efficiently,
+     * downstream code might inadvertently convert these sparse arrays to dense arrays,
+     * potentially creating millions of undefined elements and causing memory issues.
+     *
+     * @note Only applies to deserialization.
+     * @default 9_999 (array with 10,000 elements)
+     */
+    maxBracketNotationArrayIndex?: number;
+}
 declare class StandardBracketNotationSerializer {
+    private readonly maxArrayIndex;
+    constructor(options?: StandardBracketNotationSerializerOptions);
     serialize(data: unknown, segments?: Segment[], result?: StandardBracketNotationSerialized): StandardBracketNotationSerialized;
     deserialize(serialized: StandardBracketNotationSerialized): Record<string, unknown> | unknown[];
     stringifyPath(segments: readonly Segment[]): string;
@@ -75,5 +93,5 @@ declare class StandardOpenAPILink<T extends ClientContext> extends StandardLink<
     constructor(contract: AnyContractRouter, linkClient: StandardLinkClient<T>, options: StandardOpenAPILinkOptions<T>);
 }
-export { StandardBracketNotationSerializer as a, StandardOpenAPIJsonSerializer as e, StandardOpenAPILink as g, StandardOpenapiLinkCodec as i, StandardOpenAPISerializer as k };
-export type { StandardBracketNotationSerialized as S, StandardOpenAPIJsonSerialized as b, StandardOpenAPICustomJsonSerializer as c, StandardOpenAPIJsonSerializerOptions as d, StandardOpenAPILinkOptions as f, StandardOpenapiLinkCodecOptions as h, StandardOpenAPISerializeOptions as j };
+export { StandardBracketNotationSerializer as b, StandardOpenAPIJsonSerializer as f, StandardOpenAPILink as h, StandardOpenapiLinkCodec as j, StandardOpenAPISerializer as l };
+export type { StandardBracketNotationSerialized as S, StandardBracketNotationSerializerOptions as a, StandardOpenAPIJsonSerialized as c, StandardOpenAPICustomJsonSerializer as d, StandardOpenAPIJsonSerializerOptions as e, StandardOpenAPILinkOptions as g, StandardOpenapiLinkCodecOptions as i, StandardOpenAPISerializeOptions as k };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@orpc/openapi-client",
   "type": "module",
-  "version": "1.6.5",
+  "version": "1.6.6",
   "license": "MIT",
   "homepage": "https://orpc.unnoq.com",
   "repository": {
@@ -34,13 +34,13 @@
     "dist"
   ],
   "dependencies": {
-    "@orpc/contract": "1.6.5",
-    "@orpc/standard-server": "1.6.5",
-    "@orpc/client": "1.6.5",
-    "@orpc/shared": "1.6.5"
+    "@orpc/client": "1.6.6",
+    "@orpc/standard-server": "1.6.6",
+    "@orpc/shared": "1.6.6",
+    "@orpc/contract": "1.6.6"
   },
   "devDependencies": {
-    "@orpc/server": "1.6.5"
+    "@orpc/server": "1.6.6"
   },
   "scripts": {
     "build": "unbuild",