Skip to content

Phase 0: prepare 1.0.0 baseline with CVE patches and CI#2

Merged
edwardsmit merged 2 commits into
masterfrom
phase-0/1.0.0-baseline
May 20, 2026
Merged

Phase 0: prepare 1.0.0 baseline with CVE patches and CI#2
edwardsmit merged 2 commits into
masterfrom
phase-0/1.0.0-baseline

Conversation

@edwardsmit
Copy link
Copy Markdown
Owner

@edwardsmit edwardsmit commented May 20, 2026

Summary

First phase of the modernization plan. Today's code, packaged honestly, with the minimum patches to be CVE-clean on the original install target (Node 0.10+).

  • Security: deparam now rejects __proto__/constructor/prototype keys and caps nesting depth at maxDepth (default 5)
  • Conformance spec: 58 cases that pin the wire-format and security contract for every future phase and any replacement library
  • CI matrix: full mocha on Node 18/20/22/24, smoke test on Node 0.10/0.12/4/6/8/10/12/14/16 via Docker (native amd64 on Ubuntu runners)
  • Tooling: consolidated LICENSE, SECURITY.md, engines >=0.10, files allowlist

Test plan

  • CI test job green on Node 18/20/22/24 (full mocha suite, 82 tests)
  • CI floor job green on Node 0.10 through 16 (smoke-floor.js, 28 assertions)
  • CI audit job reports zero runtime vulnerabilities
  • Local verification on Node 16 (mocha) and Node 4 (Docker smoke) — done pre-push
  • Human gate review after CI green — release decision goes back to Edward before any tag / npm publish

Notes

  • package-lock.json is intentionally not committed pending the lockfile-policy decision.
  • This is a BREAKING CHANGE for any caller passing prototype-polluting keys or relying on >5-deep nested parameters; documented in the conformance spec.

Edward Smit added 2 commits May 20, 2026 08:22
feat!: prepare 1.0.0 baseline with CVE-shape patches and CI
5e138be 
Phase 0 of the modernization plan. Today's code with the minimum patches
to be CVE-clean on the original install target.

Security:
- Reject deparam parameter keys equal to __proto__, constructor, or
  prototype (prototype-pollution mitigation; same shape as qs
  CVE-2017-1000048 / CVE-2022-24999).
- New maxDepth parameter on deparam (default 5) caps nesting depth;
  parameters exceeding it are silently dropped.

Tooling:
- Consolidate MIT-LICENSE.txt + jquery-MIT-LICENSE.txt + deparam-LICENSE
  into a single LICENSE with full attribution.
- Add SECURITY.md disclosure policy.
- Add .github/workflows/ci.yml: full mocha suite on Node 18/20/22/24 via
  setup-node, smoke test on Node 0.10/0.12/4/6/8/10/12/14/16 via Docker
  (native amd64 on Ubuntu runners), npm audit job.
- Declare engines >=0.10 in package.json, add files allowlist, update
  homepage/bugs URLs.

Tests:
- Add test/conformance.spec.js: Reference Conformance Spec (58 cases)
  capturing the wire-format and security contract for future modernization
  phases and any replacement library.
- Add test/smoke-floor.js: assertion-only smoke test (no chai/mocha
  transitive dependencies) that runs on ancient Node versions in CI.

BREAKING CHANGE: deparam now rejects prototype-pollution keys and caps
nesting depth at maxDepth (default 5). Both behaviors are pinned by the
new conformance spec.
chore: commit package-lock.json for reproducible installs
8df89a2
@edwardsmit edwardsmit merged commit e37a791 into master May 20, 2026
14 checks passed
@edwardsmit edwardsmit deleted the phase-0/1.0.0-baseline branch May 20, 2026 06:30
edwardsmit added a commit that referenced this pull request May 20, 2026
@edwardsmit
feat: 1.0.0 baseline — CVE patches, CI matrix, conformance spec (#2)
831bc2c 
* feat!: prepare 1.0.0 baseline with CVE-shape patches and CI

Phase 0 of the modernization plan. Today's code with the minimum patches
to be CVE-clean on the original install target.

Security:
- Reject deparam parameter keys equal to __proto__, constructor, or
  prototype (prototype-pollution mitigation; same shape as qs
  CVE-2017-1000048 / CVE-2022-24999).
- New maxDepth parameter on deparam (default 5) caps nesting depth;
  parameters exceeding it are silently dropped.

Tooling:
- Consolidate MIT-LICENSE.txt + jquery-MIT-LICENSE.txt + deparam-LICENSE
  into a single LICENSE with full attribution.
- Add SECURITY.md disclosure policy.
- Add .github/workflows/ci.yml: full mocha suite on Node 18/20/22/24 via
  setup-node, smoke test on Node 0.10/0.12/4/6/8/10/12/14/16 via Docker
  (native amd64 on Ubuntu runners), npm audit job.
- Declare engines >=0.10 in package.json, add files allowlist, update
  homepage/bugs URLs.

Tests:
- Add test/conformance.spec.js: Reference Conformance Spec (58 cases)
  capturing the wire-format and security contract for future modernization
  phases and any replacement library.
- Add test/smoke-floor.js: assertion-only smoke test (no chai/mocha
  transitive dependencies) that runs on ancient Node versions in CI.

BREAKING CHANGE: deparam now rejects prototype-pollution keys and caps
nesting depth at maxDepth (default 5). Both behaviors are pinned by the
new conformance spec.

* chore: commit package-lock.json for reproducible installs

---------

Co-authored-by: Edward Smit <edwardsmit@xs4all.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@edwardsmit