@scenarist/core 0.4.9 → 0.4.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/domain/regex-matching.js +2 -2
  2. package/dist/domain/template-replacement.js +6 -10
  3. package/package.json +6 -6
package/dist/domain/regex-matching.js CHANGED
@@ -17,8 +17,8 @@
17
17
  */
18
18
  export const matchesRegex = (value, pattern) => {
19
19
  try {
20
- // eslint-disable-next-line security/detect-non-literal-regexp -- Pattern validated at trust boundary (schema uses redos-detector)
21
- const regex = new RegExp(pattern.source, pattern.flags);
20
+ // eslint-disable-next-line security/detect-non-literal-regexp
21
+ const regex = new RegExp(pattern.source, pattern.flags); // nosemgrep
22
22
  return regex.test(value);
23
23
  }
24
24
  catch {
package/dist/domain/template-replacement.js CHANGED
@@ -84,18 +84,14 @@ const resolveTemplatePath = (templateData, prefix, path) => {
84
84
  if (!isRecord(current)) {
85
85
  return undefined;
86
86
  }
87
- // Security: Prevent prototype pollution attacks
88
- // This is a READ-only traversal, not a write operation, so prototype pollution is not possible.
89
- // Additionally, we explicitly block dangerous keys (__proto__, constructor, prototype) via isDangerousKey()
90
- // and verify the property exists on the object itself (not prototype) via Object.hasOwn().
91
- // @see https://github.com/citypaul/scenarist/security/code-scanning/165
92
- if (isDangerousKey(segment) || !Object.hasOwn(current, segment)) {
87
+ if (isDangerousKey(segment)) {
93
88
  return undefined;
94
89
  }
95
- // nosemgrep: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
96
- // eslint-disable-next-line security/detect-object-injection -- Read-only traversal with isDangerousKey and Object.hasOwn guards
97
- current = current[segment];
98
- // Guard: Return undefined if property doesn't exist
90
+ const descriptor = Object.getOwnPropertyDescriptor(current, segment);
91
+ if (descriptor === undefined) {
92
+ return undefined;
93
+ }
94
+ current = descriptor.value;
99
95
  if (current === undefined) {
100
96
  return undefined;
101
97
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@scenarist/core",
3
- "version": "0.4.9",
3
+ "version": "0.4.11",
4
4
  "description": "Internal: Hexagonal architecture core for scenario-based testing with MSW",
5
5
  "author": "Paul Hammond (citypaul) <paul@packsoftware.co.uk>",
6
6
  "license": "MIT",
@@ -46,16 +46,16 @@
46
46
  "LICENSE"
47
47
  ],
48
48
  "dependencies": {
49
- "redos-detector": "^6.1.2",
49
+ "redos-detector": "^6.1.4",
50
50
  "zod": "^4.3.6"
51
51
  },
52
52
  "devDependencies": {
53
- "@vitest/coverage-v8": "^4.0.18",
54
- "@vitest/ui": "^4.0.18",
55
- "eslint": "^9.39.2",
53
+ "@vitest/coverage-v8": "^4.1.2",
54
+ "@vitest/ui": "^4.1.2",
55
+ "eslint": "^9.39.4",
56
56
  "fast-check": "^4.5.3",
57
57
  "typescript": "^5.9.3",
58
- "vitest": "^4.0.18",
58
+ "vitest": "^4.1.2",
59
59
  "@scenarist/eslint-config": "0.0.0",
60
60
  "@scenarist/typescript-config": "0.0.0"
61
61
  },