flagsmith-nodejs 7.0.3 → 8.0.0

package/.github/workflows/pull_request.yaml

@@ -14,7 +14,7 @@ jobs:
   build-and-test:
     strategy:
       matrix:
-        node-version: [18.x, 20.x, 22.x]
+        node-version: [20.x, 22.x, 24.x]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

package/.release-please-manifest.json

@@ -1 +1 @@
-{".":"7.0.3"}
+{".":"8.0.0"}

package/CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## [8.0.0](https://github.com/Flagsmith/flagsmith-nodejs-client/compare/v7.0.3...v8.0.0) (2026-02-25)
+
+
+### ⚠ BREAKING CHANGES
+
+* remove node18 support and update pino ([#220](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/220))
+
+### Bug Fixes
+
+* **CVE-2026-1615:** Replace jsonpath with jsonpath-plus to fix security vulnerability ([#247](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/247)) ([56a285c](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/56a285c610a51f1fe3f7d2cd561566d3aa1c6018))
+
+
+### Dependency Updates
+
+* remove node18 support and update pino ([#220](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/220)) ([a246c06](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/a246c066b062d5897abead34c0f1b8ee1d687d20))
+
+
+### Other
+
+* Remove amannn/action-semantic-pull-request workflow ([#243](https://github.com/Flagsmith/flagsmith-nodejs-client/issues/243)) ([980728a](https://github.com/Flagsmith/flagsmith-nodejs-client/commit/980728a380518e123e7ce8f6ede98842c915fcae))
+
 ## [7.0.3](https://github.com/Flagsmith/flagsmith-nodejs-client/compare/v7.0.2...v7.0.3) (2026-01-21)
 
 

package/build/cjs/flagsmith-engine/segments/evaluators.js

@@ -1,12 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getContextValue = exports.traitsMatchSegmentCondition = exports.getIdentitySegments = void 0;
-const jsonpathModule = require("jsonpath");
+const jsonpath_plus_1 = require("jsonpath-plus");
 const index_js_1 = require("../utils/hashing/index.js");
 const models_js_1 = require("./models.js");
 const constants_js_1 = require("./constants.js");
-// Handle ESM/CJS interop - jsonpath exports default in ESM
-const jsonpath = jsonpathModule.default || jsonpathModule;
 /**
  * Returns all segments that the identity belongs to based on segment rules evaluation.
  *
@@ -100,8 +98,20 @@ function evaluateRuleConditions(ruleType, conditionResults) {
             return false;
     }
 }
+const TRAITS_DOT_PATTERN = /^\$\.identity\.traits\.(.+)$/;
+const TRAITS_BRACKET_PATTERN = /^\$\.identity\.traits\['(.+)'\]$/;
+function extractTraitNameFromPath(property) {
+    return TRAITS_DOT_PATTERN.exec(property)?.[1] ?? TRAITS_BRACKET_PATTERN.exec(property)?.[1];
+}
 function getTraitValue(property, context) {
     if (property.startsWith('$.')) {
+        // Look up $.identity.traits.X and $.identity.traits['X'] paths directly
+        // to avoid jsonpath-plus mis-parsing special characters (e.g. $, [, ]) in
+        // trait names that appear inside bracket-notation strings.
+        const traitName = extractTraitNameFromPath(property);
+        if (traitName !== undefined) {
+            return context?.identity?.traits?.[traitName];
+        }
         const contextValue = getContextValue(property, context);
         if (contextValue !== undefined && isPrimitive(contextValue)) {
             return contextValue;
@@ -135,8 +145,7 @@ function getContextValue(jsonPath, context) {
     if (!context || !jsonPath?.startsWith('$.'))
         return undefined;
     try {
-        const normalizedPath = normalizeJsonPath(jsonPath);
-        const results = jsonpath.query(context, normalizedPath);
+        const results = (0, jsonpath_plus_1.JSONPath)({ path: jsonPath, json: context });
         return results.length > 0 ? results[0] : undefined;
     }
     catch (error) {
@@ -144,6 +153,3 @@ function getContextValue(jsonPath, context) {
     }
 }
 exports.getContextValue = getContextValue;
-function normalizeJsonPath(jsonPath) {
-    return jsonPath.replace(/\.([^.\[\]]+)$/, "['$1']");
-}

package/build/esm/flagsmith-engine/segments/evaluators.js

@@ -1,9 +1,7 @@
-import * as jsonpathModule from 'jsonpath';
+import { JSONPath } from 'jsonpath-plus';
 import { getHashedPercentageForObjIds } from '../utils/hashing/index.js';
 import { SegmentConditionModel } from './models.js';
 import { IS_NOT_SET, IS_SET, PERCENTAGE_SPLIT } from './constants.js';
-// Handle ESM/CJS interop - jsonpath exports default in ESM
-const jsonpath = jsonpathModule.default || jsonpathModule;
 /**
  * Returns all segments that the identity belongs to based on segment rules evaluation.
  *
@@ -95,8 +93,20 @@ function evaluateRuleConditions(ruleType, conditionResults) {
             return false;
     }
 }
+const TRAITS_DOT_PATTERN = /^\$\.identity\.traits\.(.+)$/;
+const TRAITS_BRACKET_PATTERN = /^\$\.identity\.traits\['(.+)'\]$/;
+function extractTraitNameFromPath(property) {
+    return TRAITS_DOT_PATTERN.exec(property)?.[1] ?? TRAITS_BRACKET_PATTERN.exec(property)?.[1];
+}
 function getTraitValue(property, context) {
     if (property.startsWith('$.')) {
+        // Look up $.identity.traits.X and $.identity.traits['X'] paths directly
+        // to avoid jsonpath-plus mis-parsing special characters (e.g. $, [, ]) in
+        // trait names that appear inside bracket-notation strings.
+        const traitName = extractTraitNameFromPath(property);
+        if (traitName !== undefined) {
+            return context?.identity?.traits?.[traitName];
+        }
         const contextValue = getContextValue(property, context);
         if (contextValue !== undefined && isPrimitive(contextValue)) {
             return contextValue;
@@ -130,14 +140,10 @@ export function getContextValue(jsonPath, context) {
     if (!context || !jsonPath?.startsWith('$.'))
         return undefined;
     try {
-        const normalizedPath = normalizeJsonPath(jsonPath);
-        const results = jsonpath.query(context, normalizedPath);
+        const results = JSONPath({ path: jsonPath, json: context });
         return results.length > 0 ? results[0] : undefined;
     }
     catch (error) {
         return undefined;
     }
 }
-function normalizeJsonPath(jsonPath) {
-    return jsonPath.replace(/\.([^.\[\]]+)$/, "['$1']");
-}

package/flagsmith-engine/segments/evaluators.ts

@@ -1,4 +1,4 @@
-import * as jsonpathModule from 'jsonpath';
+import { JSONPath } from 'jsonpath-plus';
 import {
     GenericEvaluationContext,
     InSegmentCondition,
@@ -10,9 +10,6 @@ import { getHashedPercentageForObjIds } from '../utils/hashing/index.js';
 import { SegmentConditionModel } from './models.js';
 import { IS_NOT_SET, IS_SET, PERCENTAGE_SPLIT } from './constants.js';
 
-// Handle ESM/CJS interop - jsonpath exports default in ESM
-const jsonpath = (jsonpathModule as any).default || jsonpathModule;
-
 /**
  * Returns all segments that the identity belongs to based on segment rules evaluation.
  *
@@ -140,8 +137,22 @@ function evaluateRuleConditions(ruleType: string, conditionResults: boolean[]):
     }
 }
 
+const TRAITS_DOT_PATTERN = /^\$\.identity\.traits\.(.+)$/;
+const TRAITS_BRACKET_PATTERN = /^\$\.identity\.traits\['(.+)'\]$/;
+
+function extractTraitNameFromPath(property: string): string | undefined {
+    return TRAITS_DOT_PATTERN.exec(property)?.[1] ?? TRAITS_BRACKET_PATTERN.exec(property)?.[1];
+}
+
 function getTraitValue(property: string, context?: GenericEvaluationContext): any {
     if (property.startsWith('$.')) {
+        // Look up $.identity.traits.X and $.identity.traits['X'] paths directly
+        // to avoid jsonpath-plus mis-parsing special characters (e.g. $, [, ]) in
+        // trait names that appear inside bracket-notation strings.
+        const traitName = extractTraitNameFromPath(property);
+        if (traitName !== undefined) {
+            return context?.identity?.traits?.[traitName];
+        }
         const contextValue = getContextValue(property, context);
         if (contextValue !== undefined && isPrimitive(contextValue)) {
             return contextValue;
@@ -179,14 +190,9 @@ export function getContextValue(jsonPath: string, context?: GenericEvaluationCon
     if (!context || !jsonPath?.startsWith('$.')) return undefined;
 
     try {
-        const normalizedPath = normalizeJsonPath(jsonPath);
-        const results = jsonpath.query(context, normalizedPath);
+        const results = JSONPath({ path: jsonPath, json: context });
         return results.length > 0 ? results[0] : undefined;
     } catch (error) {
         return undefined;
     }
 }
-
-function normalizeJsonPath(jsonPath: string): string {
-    return jsonPath.replace(/\.([^.\[\]]+)$/, "['$1']");
-}

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "flagsmith-nodejs",
-  "version": "7.0.3",
+  "version": "8.0.0",
   "description": "Flagsmith lets you manage features flags and remote config across web, mobile and server side applications. Deliver true Continuous Integration. Get builds out faster. Control who has access to new features.",
   "main": "./build/cjs/index.js",
   "type": "module",
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "exports": {
     "import": "./build/esm/index.js",
@@ -64,8 +64,8 @@
     "generate-engine-types": "npm run generate-evaluation-result-types && npm run generate-evaluation-context-types"
   },
   "dependencies": {
-    "jsonpath": "^1.1.1",
-    "pino": "^8.8.0",
+    "jsonpath-plus": "^10.4.0",
+    "pino": "^10",
     "semver": "^7.3.7",
     "undici-types": "^6.19.8"
   },

package/tests/engine/unit/segments/segment_evaluators.test.ts

@@ -345,6 +345,75 @@ describe('getIdentitySegments single segment evaluation', () => {
     });
 });
 
+describe('traitsMatchSegmentCondition with $.identity.traits.* properties', () => {
+    const mockContext: EvaluationContext = {
+        environment: { key: 'env', name: 'test' },
+        identity: {
+            key: 'user',
+            identifier: 'user@example.com',
+            traits: {
+                age: 25,
+                tamaño: 'grande',
+                サイズ: 'medium',
+                '[$the.size$]': 'small',
+                'my.foo.bar': 'dotted'
+            }
+        },
+        segments: {},
+        features: {}
+    };
+
+    test.each([
+        // dot notation – normal trait name
+        [{ property: '$.identity.traits.age', operator: 'EQUAL', value: '25' }, true],
+        [{ property: '$.identity.traits.age', operator: 'EQUAL', value: '30' }, false],
+        // dot notation – unicode trait name
+        [{ property: '$.identity.traits.tamaño', operator: 'EQUAL', value: 'grande' }, true],
+        [{ property: '$.identity.traits.サイズ', operator: 'EQUAL', value: 'medium' }, true],
+        // dot notation – trait name that itself contains dots (everything after $.identity.traits. is the key)
+        [{ property: '$.identity.traits.my.foo.bar', operator: 'EQUAL', value: 'dotted' }, true],
+        [{ property: '$.identity.traits.my.foo.bar', operator: 'EQUAL', value: 'other' }, false],
+        // bracket notation – special characters in trait name that break jsonpath-plus
+        [
+            { property: "$.identity.traits['[$the.size$]']", operator: 'EQUAL', value: 'small' },
+            true
+        ],
+        [
+            { property: "$.identity.traits['[$the.size$]']", operator: 'EQUAL', value: 'large' },
+            false
+        ],
+        // non-existent trait
+        [{ property: '$.identity.traits.nonexistent', operator: 'EQUAL', value: 'any' }, false],
+        // IS_SET / IS_NOT_SET
+        [{ property: '$.identity.traits.age', operator: 'IS_SET', value: null }, true],
+        [{ property: '$.identity.traits.nonexistent', operator: 'IS_SET', value: null }, false],
+        [{ property: '$.identity.traits.nonexistent', operator: 'IS_NOT_SET', value: null }, true],
+        [{ property: '$.identity.traits.age', operator: 'IS_NOT_SET', value: null }, false],
+        // IN operator
+        [
+            {
+                property: '$.identity.traits.tamaño',
+                operator: CONDITION_OPERATORS.IN,
+                value: ['grande', 'pequeño']
+            },
+            true
+        ],
+        [
+            {
+                property: '$.identity.traits.tamaño',
+                operator: CONDITION_OPERATORS.IN,
+                value: ['pequeño']
+            },
+            false
+        ]
+    ] as Array<[SegmentCondition | InSegmentCondition, boolean]>)(
+        'evaluates %j to %s',
+        (condition, expected) => {
+            expect(traitsMatchSegmentCondition(condition, 'seg', mockContext)).toBe(expected);
+        }
+    );
+});
+
 describe('getContextValue', () => {
     const mockContext: EvaluationContext = {
         environment: {
@@ -354,6 +423,7 @@ describe('getContextValue', () => {
         identity: {
             key: 'user-123',
             identifier: 'user@example.com'
+            // intentionally no traits – tests below confirm paths that require traits return undefined
         },
         segments: {},
         features: {}
@@ -371,7 +441,7 @@ describe('getContextValue', () => {
 
     // Undefined or invalid cases
     test.each([
-        ['$.identity.traits.user_type', 'unsupported nested path'],
+        ['$.identity.traits.user_type', 'no traits in context'],
         ['identity.identifier', 'missing $ prefix'],
         ['$.invalid.path', 'completely invalid path'],
         ['$.identity.nonexistent', 'valid structure but missing property'],

package/.github/workflows/conventional-commit.yml

@@ -1,29 +0,0 @@
-name: Conventional Commit
-
-on:
-  pull_request:
-    types:
-      - edited
-      - opened
-
-jobs:
-  conventional-commit:
-    name: Conventional Commit
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check PR Conventional Commit title
-        uses: amannn/action-semantic-pull-request@v5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          types: | # mirrors changelog-sections in the /release-please-config.json
-            feat
-            fix
-            infra
-            ci
-            docs
-            deps
-            perf
-            refactor
-            test
-            chore