silentmatt · jorenbroekema · Jan 10, 2024 · Nov 6, 2025 · Nov 25, 2025 · Dec 7, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,10 +1,25 @@
 # Changelog
 
+## [3.0.1] - 2025-12-07
+
+### Added
+
+- Additional fix for member access issue identified by @huydoppaz in https://github.com/silentmatt/expr-eval/issues/289 and advisory [CVE-2025-12735](https://github.com/advisories/GHSA-jc85-fpwf-qm7x), same as fix in previous version.
+
+## [3.0.0] - 2025-11-07
+
+### Added
+
+- BREAKING: `.evaluate()` no longer allows arbitrary and potentially malicious context to be passed for custom function strings. Such functions need to be defined on `Parser.functions`, e.g. `Parser.functions.f = () => {}` rather than `.evaluate({ f: () => {} })`. This fixes [CVE-2025-12735](https://github.com/advisories/GHSA-jc85-fpwf-qm7x).
+- BREAKING: add exports map to make usage with modern JS environments smoother, not requiring bundlers.
+- BREAKING: require Node 16.9.0 minimum, to support `Object.hasOwn` which is safer than its predecessor `Object.prototype.hasOwnPropery`.
+
 ## [2.0.2] - 2019-09-28
 
 ### Added
 
 - Added non-default exports when using the ES module format. This allows `import { Parser } from 'expr-eval'` to work in TypeScript. The default export is still available for backward compatibility.
+- This fork publishes a security vulnerability fix for prototype pollution. This was committed to the origin project but never published to NPM.
 
 
 ## [2.0.1] - 2019-09-10

diff --git a/README.md b/README.md
@@ -1,9 +1,13 @@
 JavaScript Expression Evaluator
 ===============================
 
-[![npm](https://img.shields.io/npm/v/expr-eval.svg?maxAge=3600)](https://www.npmjs.com/package/expr-eval)
-[![CDNJS version](https://img.shields.io/cdnjs/v/expr-eval.svg?maxAge=3600)](https://cdnjs.com/libraries/expr-eval)
-[![Build Status](https://travis-ci.org/silentmatt/expr-eval.svg?branch=master)](https://travis-ci.org/silentmatt/expr-eval)
+[![npm](https://img.shields.io/npm/v/expr-eval-fork.svg?maxAge=3600)](https://www.npmjs.com/package/expr-eval-fork)
+[![CDNJS version](https://img.shields.io/cdnjs/v/expr-eval-fork.svg?maxAge=3600)](https://cdnjs.com/libraries/expr-eval-fork)
+[![Build Status](https://travis-ci.org/silentmatt/expr-eval-fork.svg?branch=master)](https://travis-ci.org/silentmatt/expr-eval-fork)
+
+> This fork addresses https://github.com/silentmatt/expr-eval/issues/266, security fix has been committed but was never released to NPM
+> Therefore, we publish expr-eval-fork to NPM to work around this issue.
+> If expr-eval ever gets released, raise an issue and we'll deprecate this fork.
 
 Description
 -------------------------------------

diff --git a/index.js b/index.js
@@ -18,7 +18,7 @@ export {
 };
 
 // Backwards compatibility
-export default{
+export default {
   Parser: Parser,
   Expression: Expression
 };