Skip to content

Commit b856cb8

Browse files
Leonidas-from-XIVLeonidas-from-XIV
committedApr 9, 2023
Add upper bound for coffeescript (for now)
·
0.6.20.6.0
1 parent bd0f780 commit b856cb8

File tree

2 files changed

+5
-6
lines changed

2 files changed

+5
-6
lines changed
 

‎package-lock.json

+4-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎package.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@
7979
"xmlbuilder": "~11.0.0"
8080
},
8181
"devDependencies": {
82-
"coffee-script": ">=1.10.0",
82+
"coffeescript": ">=1.10.0 <2",
8383
"coveralls": "^3.0.1",
8484
"diff": ">=1.0.8",
8585
"docco": ">=0.6.2",

4 commit comments

Comments
 (4)

bonjonbovi87 commented on Apr 11, 2023

@bonjonbovi87
bonjonbovi87
on Apr 11, 2023

FYI this upper limit change has parseString returning [Object: null prototype] which breaks anyone using .hasOwnProperty() and other inherited object functions.

mariosteinbacher commented on Apr 11, 2023

@mariosteinbacher
mariosteinbacher
on Apr 11, 2023edited by mariosteinbacher

I was looking into the tests.
A way to check hasOwnProperty is:

{}.hasOwnProperty.call(xmlObjectHere, 'propertyname')

so you can't inject protos as I have seen in the discussions

Leonidas-from-XIV commented on Apr 11, 2023

@Leonidas-from-XIV
Leonidas-from-XIV
on Apr 11, 2023
OwnerAuthor

@bonjonbovi87 No, this has nothing to do with it. The reason why it doesn't work is because #603 was merged to avoid a security issue.

bonjonbovi87 commented on Apr 11, 2023

@bonjonbovi87
bonjonbovi87
on Apr 11, 2023edited by bonjonbovi87

Oops, I see, thanks. Missed it because the file date is 2 years ago due to the original commit.

Please sign in to comment.