formatarc 0.2.0 → 0.2.1

package/README.md

@@ -1,8 +1,28 @@
 # formatarc
 
-Convert JSON, YAML, CSV, Markdown, and HTML from the terminal. No config, no dependencies to manage — just pipe or pass your data.
+Convert JSON, YAML, CSV, Markdown, and HTML from the terminal — your data never leaves your machine. No config, no telemetry, no upload.
 
-**Web version → [formatarc.com](https://formatarc.com)**
+[![npm version](https://img.shields.io/npm/v/formatarc.svg)](https://www.npmjs.com/package/formatarc)
+[![license: MIT](https://img.shields.io/npm/l/formatarc.svg)](https://github.com/m-naoki-m/formatarc/blob/main/LICENSE)
+[![npm downloads](https://img.shields.io/npm/dm/formatarc.svg)](https://www.npmjs.com/package/formatarc)
+
+**Web version → [formatarc.com](https://formatarc.com)** — the same conversions, 100% in your browser, no signup.
+
+## Why formatarc?
+
+Most "online JSON / YAML / CSV converters" send the data you paste to a server. In November 2025, security firm watchTowr disclosed that two popular formatter sites (jsonformatter.org and codebeautify.org) had publicly exposed **over 80,000 saved submissions (5 GB+)** through a predictable "Recent Links" URL — including Active Directory credentials, cloud access keys, private keys, CI/CD secrets, JWTs, and full AWS Secrets Manager exports from government, banking, healthcare, and aerospace organizations. ([watchTowr report](https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/))
+
+formatarc is built so that can't happen. The CLI runs entirely on your machine, and the [web version](https://formatarc.com) runs entirely in your browser — no upload, no logging, no telemetry, no account.
+
+It is not only paste-to-a-server sites, either: in early 2026, a widely used JSON formatter browser extension was reported (on Hacker News and dev.to) to add third-party tracking and checkout-page injection after moving to a closed-source model — a reminder that an installed extension can change behaviour through an automatic update. Background on both risks: [are online converters safe?](https://formatarc.com/en/blog/online-converter-safety/) and [picking a JSON formatter Chrome extension by privacy and permissions](https://formatarc.com/en/blog/chrome-extension-json-formatter/).
+
+| | formatarc CLI | formatarc web | Typical online converter | jq / yq / pandoc |
+|---|:---:|:---:|:---:|:---:|
+| Data stays local | ✅ | ✅ | ❌ | ✅ |
+| No signup / no upload | ✅ | ✅ | ⚠️ | ✅ |
+| JSON + YAML + CSV + Markdown + HTML in one tool | ✅ | ✅ | ⚠️ | ❌ |
+| Works offline | ✅ | after first load | ❌ | ✅ |
+| Single install | ✅ | n/a | n/a | ❌ |
 
 ## Install
 
@@ -118,7 +138,9 @@ For a browser-based experience with no signup and no data upload:
 - JSON Formatter, YAML ↔ JSON, CSV → JSON
 - CSV → Markdown, Markdown ↔ HTML
 - Runs entirely in the browser
-- Multilingual (English / Japanese)
+- Multilingual (English, Japanese, Spanish, Portuguese)
+
+There is also a [Chrome extension](https://formatarc.com/en/blog/chrome-extension-json-formatter/) for popup and right-click conversion — same browser-side processing, no upload.
 
 ## License
 

package/dist/converter.js

@@ -128,12 +128,51 @@ const turndownService = (() => {
     });
     return service;
 })();
+// Locate a trailing comma (a comma whose next non-whitespace character is `}`
+// or `]`). String-aware so commas/brackets inside string values are ignored.
+// Returns the comma's 1-based line, or null if there is none.
+function findTrailingCommaLine(input) {
+    let inString = false;
+    let escape = false;
+    for (let i = 0; i < input.length; i++) {
+        const ch = input[i];
+        if (inString) {
+            if (escape)
+                escape = false;
+            else if (ch === "\\")
+                escape = true;
+            else if (ch === '"')
+                inString = false;
+            continue;
+        }
+        if (ch === '"') {
+            inString = true;
+            continue;
+        }
+        if (ch === ",") {
+            let j = i + 1;
+            while (j < input.length && /\s/.test(input[j]))
+                j++;
+            if (j < input.length && (input[j] === "}" || input[j] === "]")) {
+                return input.slice(0, i + 1).split("\n").length;
+            }
+        }
+    }
+    return null;
+}
 function formatError(err, input, tool) {
     if (err instanceof YAML.YAMLParseError) {
         const line = err.linePos?.[0]?.line;
         return line ? `YAML syntax error near line ${line}.` : "YAML syntax error.";
     }
     if (err instanceof Error && err.name === "SyntaxError") {
+        // Trailing comma is the most common JSON mistake, and parsers report it at
+        // the *following* bracket (often on the next line), not at the comma. Find
+        // the comma ourselves and point at its line.
+        const trailingCommaLine = findTrailingCommaLine(input);
+        if (trailingCommaLine !== null) {
+            return `Invalid JSON: remove the trailing comma on line ${trailingCommaLine}.`;
+        }
         const match = err.message.match(/position\s+(\d+)/i);
         if (match) {
             const line = input.slice(0, Number(match[1])).split("\n").length;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "formatarc",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Convert JSON, YAML, CSV, Markdown, and HTML from the terminal. Browser-based version at formatarc.com.",
   "keywords": [
     "json",