json0.apply has a prototype pollution security issue, where applying ops with path segments that match prototype property names can clobber said prototype properties. This can cause a DoS by crashing a server running json0. (We've just released safeguards in sharedb, which still uses json0 as the default type.)
This fixes the issue by throwing an error in json0.apply when encountering a path segment that matches the name of a prototype property.
Unrelated, this also pins the colors library to 1.4.0, since later versions are completely broken. It's a transitive dependency of ot-fuzzer > cli-progress.
json0.applyhas a prototype pollution security issue, where applying ops with path segments that match prototype property names can clobber said prototype properties. This can cause a DoS by crashing a server running json0. (We've just released safeguards in sharedb, which still uses json0 as the default type.)This fixes the issue by throwing an error in
json0.applywhen encountering a path segment that matches the name of a prototype property.Unrelated, this also pins the
colorslibrary to 1.4.0, since later versions are completely broken. It's a transitive dependency ofot-fuzzer>cli-progress.