bfj 9.1.1 → 9.1.3

package/.claude/settings.local.json

@@ -0,0 +1,21 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm info:*)",
+      "Bash(npm view:*)",
+      "Bash(node -e:*)",
+      "WebSearch",
+      "Bash(npx mocha:*)",
+      "Bash(export PATH:*)",
+      "Bash(node:*)",
+      "Bash(npm install:*)",
+      "Bash(npm run unit:*)",
+      "Bash(npm run lint:*)",
+      "Bash(/usr/bin/tail:*)",
+      "Bash(/usr/bin/grep -E '\\(passing|failing\\)')",
+      "Bash(npm run integration:*)",
+      "Bash(npm test:*)",
+      "Bash(npm run memory:*)"
+    ]
+  }
+}

package/.eslintrc

@@ -43,7 +43,7 @@ rules:
   keyword-spacing: [ 2, { "before": true, "after": true } ]
   linebreak-style: [ 2, "unix" ]
   lines-around-comment: 0
-  max-depth: [ 1, 3 ]
+  max-depth: [ 1, 4 ]
   max-nested-callbacks: [ 1, 2 ]
   max-params: [ 1, 8 ]
   max-statements: 0
@@ -62,9 +62,9 @@ rules:
   no-cond-assign: [ 2, "always" ]
   no-confusing-arrow: 0
   no-console: 1
-  no-constant-condition: 2
+  no-constant-condition: 0
   no-const-assign: 2
-  no-continue: 1
+  no-continue: 0
   no-control-regex: 2
   no-debugger: 2
   no-delete-var: 2
@@ -145,7 +145,7 @@ rules:
   no-spaced-func: 2
   no-sparse-arrays: 2
   no-sync: 0
-  no-ternary: 1
+  no-ternary: 0
   no-this-before-super: 2
   no-throw-literal: 1
   no-trailing-spaces: 2

package/HISTORY.md

@@ -1,5 +1,30 @@
 # History
 
+## 9.1.3
+
+### Bug fixes
+
+* memory: eliminate memory leaks in `walk` and `eventify` (8592416af612795d08c5f9b50e8bf611cca303a5)
+* match: remove vulnerable `jsonpath` dependency (d053e0de4cc91c1393b9377f0569eebf91eb84da)
+
+### Other changes
+
+* repo: tweak lint config (efe9f392127d7ab845bd9c3becb87949cf0a4625)
+* deps: `npm audit fix` (b4d066425e107288f8da3658d29f3e5ec57ad0c9)
+* deps: upgrade `please-release-me` to `3.4.1` (cd65c37f626541599c3eef60ab0011055d304ae0)
+
+## 9.1.2
+
+### Bug fixes
+
+* streamify: fix nonsense race condition mitigation (bcf35db58538b3e4feda31e4d0781ff16ee0d0a7)
+
+### Other changes
+
+* deps: upgrade `cross-spawn` to `7.0.6` (4a55a0f3e8a0a6eadc3f43bd3c0f33eedb0619a6)
+* eventify: remove redundant `async` (44d90b45f0f84423784ccd835dad20ca8209162b)
+* lint: stop warning on ternary operators (4cb552cd2b69b0432ace5f326b2804f57010e69f)
+
 ## 9.1.1
 
 ### Bug fixes

package/README.md

@@ -276,8 +276,13 @@ the comparison will be made
 by calling the [RegExp `test` method][regexp-test]
 with the property key.
 If it is a JSONPath expression,
-it must start with `$.` to identify the root node
-and only use `child` scope expressions for subsequent nodes.
+it must start with `$.`
+and supports only simple child access:
+dot-notation properties (`$.foo.bar`),
+bracket-notation strings (`$["foo"]`),
+numeric indices (`$[0]`),
+and wildcards (`$[*]`).
+Filter, script, and recursive descent expressions are not supported.
 Predicate functions will be called with three arguments:
 `key`, `value` and `depth`.
 If the result of the predicate is a truthy value

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bfj",
-  "version": "9.1.1",
+  "version": "9.1.3",
   "description": "Big-friendly JSON. Asynchronous streaming functions for large JSON data sets.",
   "homepage": "https://gitlab.com/philbooth/bfj",
   "bugs": "https://gitlab.com/philbooth/bfj/issues",
@@ -31,7 +31,6 @@
   "dependencies": {
     "check-types": "^11.2.3",
     "hoopy": "^0.1.4",
-    "jsonpath": "^1.1.1",
     "tryer": "^1.0.1"
   },
   "devDependencies": {
@@ -39,16 +38,17 @@
     "chai": "^4.5.0",
     "eslint": "^8.57.1",
     "mocha": "^10.7.3",
-    "please-release-me": "^2.1.6",
+    "please-release-me": "^3.4.1",
     "proxyquire": "^2.1.3",
     "spooks": "^2.0.0"
   },
   "scripts": {
     "lint": "eslint src",
-    "test": "npm run unit && npm run integration",
+    "test": "npm run unit && npm run integration && npm run memory",
     "unit": "mocha --ui tdd --reporter spec --recursive --colors --slow 120 test/unit",
     "integration": "mocha --ui tdd --reporter spec --colors test/integration",
-    "perf": "wget -O test/mtg.json https://mtgjson.com/api/v5/AllPrices.json && node test/performance mtg",
-    "perf-match": "wget -O test/mtg.json https://mtgjson.com/api/v5/AllPrices.json && node test/performance mtg currency"
+    "memory": "mocha --ui tdd --reporter spec --colors test/memory",
+    "perf": "test -f test/mtg.json || curl -o test/mtg.json https://mtgjson.com/api/v5/AllPrices.json && node test/performance mtg",
+    "perf-match": "test -f test/mtg.json || curl -o test/mtg.json https://mtgjson.com/api/v5/AllPrices.json && node test/performance mtg currency"
   }
 }

package/src/eventify.js

@@ -209,7 +209,7 @@ function eventify (data, options = {}) {
     return datum > Number.NEGATIVE_INFINITY && datum < Number.POSITIVE_INFINITY
   }
 
-  async function yieldThenProceed (datum, resolve, reject) {
+  function yieldThenProceed (datum, resolve, reject) {
     setImmediate(async () => {
       try {
         resolve(await afterCoercion(await coerce(datum)))
@@ -249,7 +249,7 @@ function eventify (data, options = {}) {
 
     await emit(events[type])
 
-    await item(obj, arr, type, action, ignoreThisItem, 0)
+    await item(obj, arr, type, action, ignoreThisItem)
   }
 
   async function emit (event, eventData) {
@@ -265,30 +265,26 @@ function eventify (data, options = {}) {
     }
   }
 
-  async function item (obj, arr, type, action, ignoreThisItem, index) {
-    if (index >= arr.length) {
-      if (ignoreThisItem) {
-        ignoreItems = false
-      }
-
+  async function item (obj, arr, type, action, ignoreThisItem) {
+    for (let index = 0; index < arr.length; index++) {
       if (ignoreItems) {
-        return
+        break
       }
 
-      await emit(events.endPrefix + events[type])
-
-      references.delete(obj)
+      await action(arr[index])
+    }
 
-      return
+    if (ignoreThisItem) {
+      ignoreItems = false
     }
 
     if (ignoreItems) {
-      return item(obj, arr, type, action, ignoreThisItem, index + 1)
+      return
     }
 
-    await action(arr[index])
+    await emit(events.endPrefix + events[type])
 
-    await item(obj, arr, type, action, ignoreThisItem, index + 1)
+    references.delete(obj)
   }
 
   function value (datum, type) {

package/src/jsonpath.js

@@ -0,0 +1,151 @@
+'use strict'
+
+module.exports = parseJsonPath
+
+/* Minimal jsonpath parser,
+ * replacing `jsonpath` which depended on `static-eval`
+ * (CVE-2026-1615, arbitrary code execution from untrusted input).
+ *
+ * Only the subset used by bfj is supported:
+ *   $.foo.bar    dot-notation properties
+ *   $["foo"]     bracket-notation strings
+ *   $[0]         numeric indices
+ *   $[*]         wildcards
+ *
+ * Filter expressions, script expressions, recursive descent, slices, and negative indices
+ * are all rejected.
+ * No eval, no regex, no dynamic code.
+ */
+
+function parseJsonPath (selector) {
+  if (typeof selector !== 'string' || selector.length === 0 || selector[0] !== '$') {
+    throw new SyntaxError('Invalid jsonpath: must start with $')
+  }
+
+  const result = [ { expression: { type: 'root', value: '$' } } ]
+  let position = 1
+
+  if (position >= selector.length) {
+    throw new SyntaxError('Invalid jsonpath: must have at least one segment after $')
+  }
+
+  while (position < selector.length) {
+    const character = selector[position]
+
+    if (character === '.') {
+      position += 1
+      if (position >= selector.length || selector[position] === '.') {
+        throw new SyntaxError('Invalid jsonpath: unexpected character after dot')
+      }
+
+      const id = parseIdentifier(selector, position)
+      result.push({ expression: { type: 'identifier', value: id.value }, operation: 'member', scope: 'child' })
+      position = id.position
+    } else if (character === '[') {
+      position += 1
+      const content = parseBracketContent(selector, position)
+      result.push({ expression: content.expression, operation: 'subscript', scope: 'child' })
+
+      position = content.position
+      if (position >= selector.length || selector[position] !== ']') {
+        throw new SyntaxError('Invalid jsonpath: unterminated bracket')
+      }
+
+      position += 1
+    } else {
+      throw new SyntaxError(`Invalid jsonpath: unexpected character "${character}"`)
+    }
+  }
+
+  return result
+}
+
+function parseBracketContent (selector, position) {
+  if (position >= selector.length) {
+    throw new SyntaxError('Invalid jsonpath: unterminated bracket')
+  }
+
+  const character = selector[position]
+
+  if (character === '*') {
+    return { expression: { type: 'wildcard', value: '*' }, position: position + 1 }
+  }
+
+  if (character === '"' || character === "'") {
+    const str = parseStringLiteral(selector, position)
+    return { expression: { type: 'string_literal', value: str.value }, position: str.position }
+  }
+
+  if (isDigit(character)) {
+    const num = parseNumericLiteral(selector, position)
+    return { expression: { type: 'numeric_literal', value: num.value }, position: num.position }
+  }
+
+  throw new SyntaxError(`Invalid jsonpath: unexpected bracket content "${character}"`)
+}
+
+function parseIdentifier (selector, position) {
+  const start = position
+
+  if (position >= selector.length || !isIdentifierStart(selector[position])) {
+    throw new SyntaxError('Invalid jsonpath: expected identifier')
+  }
+
+  position += 1
+
+  while (position < selector.length && isIdentifier(selector[position])) {
+    position += 1
+  }
+
+  return { value: selector.slice(start, position), position }
+}
+
+function parseNumericLiteral (selector, position) {
+  const start = position
+
+  while (position < selector.length && isDigit(selector[position])) {
+    position += 1
+  }
+
+  return { value: parseInt(selector.slice(start, position), 10), position }
+}
+
+function parseStringLiteral (selector, position) {
+  const quote = selector[position]
+  position += 1
+  const start = position
+
+  while (position < selector.length && selector[position] !== quote) {
+    if (selector[position] === '\\') {
+      throw new SyntaxError('Invalid jsonpath: escape sequences in strings are not supported')
+    }
+    position += 1
+  }
+
+  if (position >= selector.length) {
+    throw new SyntaxError('Invalid jsonpath: unterminated string')
+  }
+
+  const value = selector.slice(start, position)
+  position += 1
+  return { value, position }
+}
+
+function isDigit (character) {
+  return character >= '0' && character <= '9'
+}
+
+function isIdentifier (character) {
+  return (character >= 'a' && character <= 'z') ||
+    (character >= 'A' && character <= 'Z') ||
+    (character >= '0' && character <= '9') ||
+    character === '_' ||
+    character === '$'
+}
+
+function isIdentifierStart (character) {
+  return (character >= 'a' && character <= 'z') ||
+    (character >= 'A' && character <= 'Z') ||
+    character === '_' ||
+    character === '$'
+}

package/src/match.js

@@ -4,7 +4,7 @@ const check = require('check-types')
 const DataStream = require('./datastream')
 const events = require('./events')
 const Hoopy = require('hoopy')
-const jsonpath = require('jsonpath')
+const parseJsonPath = require('./jsonpath')
 const { PassThrough } = require('node:stream')
 const walk = require('./walk')
 
@@ -84,7 +84,7 @@ function match (stream, selector, options = {}) {
     check.assert.nonEmptyString(selector)
 
     if (selector.startsWith('$.')) {
-      selectorPath = jsonpath.parse(selector)
+      selectorPath = parseJsonPath(selector)
       check.assert.identical(selectorPath.shift(), {
         expression: {
           type: 'root',

package/src/streamify.js

@@ -50,6 +50,7 @@ function streamify (data, options = {}) {
     streamOptions = { highWaterMark }
   }
   const stream = new JsonStream(read, streamOptions)
+  const eventQueue = []
 
   let awaitPush = true
   let index = 0
@@ -58,7 +59,6 @@ function streamify (data, options = {}) {
   let isPaused = false
   let isProperty
   let length = 0
-  let mutex = Promise.resolve()
   let needsComma
 
   emitter.on(events.array, noRacing(array))
@@ -122,8 +122,17 @@ function streamify (data, options = {}) {
 
   function noRacing (handler) {
     return async (eventData) => {
-      await mutex
-      mutex = await handler(eventData)
+      let resolve
+
+      eventQueue.push(new Promise(res => resolve = res))
+
+      if (eventQueue.length > 1) {
+        await eventQueue[eventQueue.length - 2]
+        eventQueue.shift()
+      }
+
+      await handler(eventData)
+      resolve()
     }
   }