justinlettau / ts-dot-prop Goto Github PK

Describe the Issue

Issue manifests when you have an object containing an object and additional properties after said nested object.

Expected behavior

Would expect all trees properly return with their nested prefixes

Steps to Reproduce

const howToBreakIt = {
      something: false,
      someObject: { 
        someNestedObject: {
          someProperty: 1
        },
        someBoolean: false
      }
    };

Expected results are:
['something', 'someObject.someNestedObject.someProperty', 'someObject.someBoolean']

Current version produces:
['something', 'someObject.someNestedObject.someProperty', 'someBoolean']

Other Information

I have a fix for this that I will PR in as 2.1.1 shortly. The issue is we are resetting the lead array instead of just popping off the last prefix in the chain.

lead = [];

needs to be

lead.pop();

Describe the Issue

When trying to get nested values from an array, if the property names contain digits the library fails to resolve the values.

Example:

const obj = [
  {
    prop1: 'nested1'
  },
  {
    prop1: 'nested2'
  }
]

get(obj, "prop1"); // undefined

Expected behavior

In the example above:

get(obj, "prop1")// ['nested1', 'nested2']

Solution

I believe the solution is to restrict the indexer RegExp to match only digits rather than a string containing digits.

I will submit a PR for this fix.

Describe the Issue

When you try to use the sourcemap, module builder gives the following error:
Sourcemap for "/node_modules/ts-dot-prop/dist/index.js" points to missing source files

Expected behavior

src/ folder is included in package.

Steps to Reproduce

Simply use the package in a module builder with sourcemaps activated.

Other Information

I will create a pull request.

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

Describe the Issue

npm install ts-dot-prop does not produce the latest code

Expected behavior

I expect the lead.pop() fix from the last PR merge to be included in the 2.1.1 npm distribution

Steps to Reproduce

mkdir ts-dot-prop-test
cd ts-dot-prop-test
npm i ts-dot-prop
cd node_modules/dist/ts-dot-prop

^ witness in index.js that it still contains lead = []

Other Information

I have attempted force clearing my npm cache to no avail. Not sure if there's anything else to try

The issue in issue#20 is not completely fixed yet.

I have re-run the POC against the latest version 1.4.1 and the vulnerability triggered again.

Please contact me for the POC if required. Thanks.

Describe the Issue

When trying to get the property from objects nested within multiple levels of arrays, results in undefined.

Expected behavior

Should return nested arrays reflecting the defined path.

Steps to Reproduce

const object = { 
  arr: [
    {
      content: [
        {a: 1, b: 2, c: 3},
        {a: 4, b: 5, c: 6}
      ]
    },
    {
      content: [
        {a: 6, b: 7, c: 8},
        {a: 9, b: 10, c:11}
      ]
    }
  ]
}
get(object, 'arr[*].content[*].a') // Expect: [ [ 1, 4 ], [ 6, 9 ] ], Actual: [ undefined, undefined ] 

I would like to report a Prototype pollution vulnerability in "ts-dot-prop".

It fails to restrict access to prototypes of objects, allowing for modification of prototype behavior, which may allow obtaining sensitive information/DoS/RCE.

Please contact me for the POC if required. Thanks.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update jest monorepo to v29 (major) (@types/jest, jest, ts-jest)

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository