wiedi
commented
6 years ago The config file is already JSON and read using JSON.parse.
The devices.js file is part of the code and if you can modify that you could also modify any other part that would allow you to change the code. So there is no code injection vulnerability that would be prevented by changing that file to JSON.
I'd suggest changing these to JSON files, and if you need features like comments use json5. You can even
require()JSON files and get just an object with its contents. The major problem with using JS for data-storage is that it's not secure and 100% vulnerable to code injection.