Weird Commits

[sbvoxel]

The last two commits are odd.

https://github.com/DaveGamble/cJSON/commit/66e9dff670a953586d4e75296f021a1c40f66768 https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59

The first commit adds a security policy directly copied from a different project without changing the wording (project name), or contact details. Furthermore, is this a good security policy to have? It's the same security policy state actors have inserted into projects to give them time to respond to their intentionally inserted vulnerabilities.

The second commit adds an early return when valuestring is NULL but doesn't clear the object's existing valuestring. It also makes the comment above that branch wrong or incomplete. This is rushed.

[sbvoxel]

Though on the second commit, I suppose by returning NULL it means failure, and so in that sense it shouldn't clear the existing valuestring?

[Alanscut]

Hi @sbvoxel Thank you for your advice. For the first commit, I didn't check the details, while the contact details are correct. Sorry for my mistake. The second commit comes from #840 and I agree with you. I believe more similar checks should be made but I didn't have enough time to handle all this then. So I just merged the PR instead of made a release. I will look deep into this today.

It's the same security policy state actors have inserted into projects to give them time to respond to their intentionally inserted vulnerabilities.

Currently I and @PeterAlfredLee are maintaining cjson now. The recent 2 CVE of cjson didn't inform me before they become public - which leave me little time to look into them with details. That's why I pushed a security policy. IMHO, we need some time to fix security and make a new release before a security issue become public. I don't have a better idea rather then leave a email here. If you have a better idea, feel free to let me know. :)

[sbvoxel]

Alright, sounds very good @Alanscut.

Thank you for maintaining cJSON along with the other fellow!