fix: infinite loop when object has an empty string key

[trotzig]

Problem

When diffing two objects where either side contains an empty string ("") as a key, diffObject enters an infinite loop and exhausts all available memory, crashing the process/browser tab.

The root cause is the key-advance logic at the end of the while loop:

if (!keyLeft) {
  keysRight.shift();
} else if (!keyRight) {
  keysLeft.shift();

Because !'' is true in JavaScript, when the current left key is the empty string the code thinks the left side is exhausted and only advances the right pointer. keysLeft is therefore never shifted past "", and once keysRight drains the loop spins forever.

Fix

Replace the falsy checks with strict === undefined comparisons:

if (keyLeft === undefined) {
  keysRight.shift();
} else if (keyRight === undefined) {
  keysLeft.shift();

Test

A regression test is added to differ.spec.ts that diffs two objects both containing an empty-string key and asserts: the call completes without throwing, both sides produce the same number of lines, and the changed value is marked as a modification.

Reproduction

const d = new Differ();
// Hangs / OOMs before this fix:
d.diff({ '': 'before', a: 1 }, { '': 'after', b: 2 });

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug in the object differ utility that led to infinite loops and application crashes when processing objects containing empty string keys. The fix refines the key comparison logic to accurately distinguish between an undefined key and an empty string key, thereby preventing erroneous loop conditions and enhancing the stability of the diffing process.

Highlights

• Bug Fix: Infinite Loop: Resolved an issue in diffObject where diffing objects with empty string keys ("") would cause an infinite loop and memory exhaustion due to incorrect key-advance logic.
• Logic Correction: Replaced JavaScript's falsy checks (!key) with strict === undefined comparisons for keyLeft and keyRight to correctly identify when a key is truly absent, rather than just an empty string.
• Regression Test: Added a new test case in differ.spec.ts to ensure the fix prevents the infinite loop and correctly handles object diffs with empty string keys.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/differ.spec.ts
  • Added a regression test for the empty string key infinite loop scenario.
• src/utils/diff-object.ts
  • Modified key-advance logic to use strict undefined checks instead of falsy checks.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request fixes an infinite loop that occurs when diffing objects with an empty string as a key. The fix correctly uses a strict undefined check instead of a falsy check to determine if the key arrays are exhausted. A regression test is added to cover this scenario. The implementation of the fix is correct. I've suggested a small improvement to the new test case to make it more concise and efficient by removing a redundant function call.

[trotzig]

We found this bug at happo.io after seeing certain reports make the page unresponsive. I threw Claude at the data and it tracked it down to this issue in json-diff-kit.

Thank you very much for making this library available to the public @RexSkz! We've used it for a few years now and it's been great.

[RexSkz]

Thank you for your contribution! It's really a rookie mistake in JavaScript.

BTW, do you think it's necessary to make code changes according to Gemini's advice? (I'm okay with it. If you are also okay, you can directly resolve the comment and merge this PR.)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[trotzig]

We have all made this mistake, don't worry!

I resolved the Gemini feedback without changes. I also signed the commits so that you can merge it.

[RexSkz]

v1.0.35 has been published :)