@scenarist/core 0.4.5 → 0.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -109,12 +109,15 @@ const resolveTemplatePath = (templateData, prefix, path) => {
|
|
|
109
109
|
return undefined;
|
|
110
110
|
}
|
|
111
111
|
// Security: Prevent prototype pollution attacks
|
|
112
|
+
// This is a READ-only traversal, not a write operation, so prototype pollution is not possible.
|
|
113
|
+
// Additionally, we explicitly block dangerous keys (__proto__, constructor, prototype) via isDangerousKey()
|
|
114
|
+
// and verify the property exists on the object itself (not prototype) via Object.hasOwn().
|
|
112
115
|
// @see https://github.com/citypaul/scenarist/security/code-scanning/165
|
|
113
116
|
if (isDangerousKey(segment) || !Object.hasOwn(current, segment)) {
|
|
114
117
|
return undefined;
|
|
115
118
|
}
|
|
116
|
-
// nosemgrep: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop
|
|
117
|
-
// eslint-disable-next-line security/detect-object-injection --
|
|
119
|
+
// nosemgrep: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
|
|
120
|
+
// eslint-disable-next-line security/detect-object-injection -- Read-only traversal with isDangerousKey and Object.hasOwn guards
|
|
118
121
|
current = current[segment];
|
|
119
122
|
// Guard: Return undefined if property doesn't exist
|
|
120
123
|
if (current === undefined) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@scenarist/core",
|
|
3
|
-
"version": "0.4.
|
|
3
|
+
"version": "0.4.6",
|
|
4
4
|
"description": "Internal: Hexagonal architecture core for scenario-based testing with MSW",
|
|
5
5
|
"author": "Paul Hammond (citypaul) <paul@packsoftware.co.uk>",
|
|
6
6
|
"license": "MIT",
|
|
@@ -47,15 +47,15 @@
|
|
|
47
47
|
],
|
|
48
48
|
"dependencies": {
|
|
49
49
|
"redos-detector": "^6.1.2",
|
|
50
|
-
"zod": "^4.1
|
|
50
|
+
"zod": "^4.2.1"
|
|
51
51
|
},
|
|
52
52
|
"devDependencies": {
|
|
53
|
-
"@vitest/coverage-v8": "^4.0.
|
|
54
|
-
"@vitest/ui": "^4.0.
|
|
55
|
-
"eslint": "^9.39.
|
|
56
|
-
"fast-check": "^4.
|
|
53
|
+
"@vitest/coverage-v8": "^4.0.16",
|
|
54
|
+
"@vitest/ui": "^4.0.16",
|
|
55
|
+
"eslint": "^9.39.2",
|
|
56
|
+
"fast-check": "^4.5.2",
|
|
57
57
|
"typescript": "^5.9.3",
|
|
58
|
-
"vitest": "^4.0.
|
|
58
|
+
"vitest": "^4.0.16",
|
|
59
59
|
"@scenarist/eslint-config": "0.0.0",
|
|
60
60
|
"@scenarist/typescript-config": "0.0.0"
|
|
61
61
|
},
|