json-schema dep is vulnerable to prototype pollution

[bahamat]

https://security.snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922

Related:

• json-schema dependency #27
• Bump json-schema to version 0.2.5 and allow future patch updates #30
• Upgrading upstream dep to avoid vulnerability #32

[bahamat]

Tests pass with [email protected]

> git diff package.json 
diff --git a/package.json b/package.json
index 400ae49..6820359 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "jsprim",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "utilities for primitive JavaScript types",
   "main": "./lib/jsprim.js",
   "repository": {
@@ -10,7 +10,7 @@
   "dependencies": {
      "assert-plus": "1.0.0",
      "extsprintf": "1.3.0",
-     "json-schema": "0.2.3",
+     "json-schema": "0.4.0",
      "verror": "1.10.0"
   },
   "engines": [
> make test
node test/basic.js
test case 0 [
  [
    'level1-A',
    {
      'level2-Aa': [Object],
      'level2-Ab': [Object],
      'level2-Ac': [Object]
    }
  ],
  [
    'level1-B',
    {
      'level2-Ba': [Object],
      'level2-Bb': [Object],
      'level2-Bc': [Object]
    }
  ]
]
test case 1 [
  [
    'level1-A',
    'level2-Aa',
    { 'level3-Aai': 4, 'level3-Aaii': 7, 'level3-Aaiii': 2 }
  ],
  [ 'level1-A', 'level2-Ab', { 'level3-Abi': 51, 'level3-Abii': 31 } ],
  [
    'level1-A',
    'level2-Ac',
    { 'level3-Aci': 1351, 'level3-Acii': 121 }
  ],
  [
    'level1-B',
    'level2-Ba',
    { 'level3-Bai': 8, 'level3-Baii': 7, 'level3-Baiii': 6 }
  ],
  [ 'level1-B', 'level2-Bb', { 'level3-Bbi': 5, 'level3-Bbii': 4 } ],
  [ 'level1-B', 'level2-Bc', { 'level3-Bci': 3, 'level3-Bcii': 2 } ]
]
test case 2 [
  [ 'level1-A', 'level2-Aa', 'level3-Aai', 4 ],
  [ 'level1-A', 'level2-Aa', 'level3-Aaii', 7 ],
  [ 'level1-A', 'level2-Aa', 'level3-Aaiii', 2 ],
  [ 'level1-A', 'level2-Ab', 'level3-Abi', 51 ],
  [ 'level1-A', 'level2-Ab', 'level3-Abii', 31 ],
  [ 'level1-A', 'level2-Ac', 'level3-Aci', 1351 ],
  [ 'level1-A', 'level2-Ac', 'level3-Acii', 121 ],
  [ 'level1-B', 'level2-Ba', 'level3-Bai', 8 ],
  [ 'level1-B', 'level2-Ba', 'level3-Baii', 7 ],
  [ 'level1-B', 'level2-Ba', 'level3-Baiii', 6 ],
  [ 'level1-B', 'level2-Bb', 'level3-Bbi', 5 ],
  [ 'level1-B', 'level2-Bb', 'level3-Bbii', 4 ],
  [ 'level1-B', 'level2-Bc', 'level3-Bci', 3 ],
  [ 'level1-B', 'level2-Bc', 'level3-Bcii', 2 ]
]
basic tests okay
node test/validate.js
property "gid": is missing and it is required
property "gid": 5 - number value found, but a string is required
property "gid": [object object] - object value found, but a string is required
property "gid": must be at least 1 characters long
property "ord": food - string value found, but a integer is required
WARNING: accepted string as integer
property "ord": 3.582 - number value found, but a integer is required
property "ord": must have a minimum value of 0
property "state": does not have a value in the enumeration dispatched, running, done, cancelled, aborted
WARNING: accepted malformed date
property "results": there must be a minimum of 1 in the array
property "results[0].extra": unsupported property
node test/hrtimediff.js
[0,900] - [0,800] = [0,100]
[52,0] - [48,0] = [4,0]
[1,900456789] - [0,800123456] = [1,100333333]
[57,123456789] - [57,123456789] = [0,0]
[57,123456789] - [0,0] = [57,123456789]
[1,200] - [0,400] = [0,999999800]
[0,900] - [0,-100] (expect fail): negative numbers not allowed in hrtimes
[1,100] - [-1,0] (expect fail): negative numbers not allowed in hrtimes
[0,0] - [0,1000000000] (expect fail): nanoseconds column overflow
[0,300] - [1,100] (expect fail): negative differences not allowed
[5,300] - [5,400] (expect fail): negative differences not allowed
node test/hrtimesecs.js
passing test case:
	in = [0,0]
	nano = 0
	micro = 0
	milli = 0
passing test case:
	in = [0,1000]
	nano = 1000
	micro = 1
	milli = 0
passing test case:
	in = [0,1999]
	nano = 1999
	micro = 1
	milli = 0
passing test case:
	in = [1000000000,0]
	nano = 1000000000000000000
	micro = 1000000000000000
	milli = 1000000000000
passing test case:
	in = [5,123456789]
	nano = 5123456789
	micro = 5123456
	milli = 5123
failing test case:
	in = null
	nano error = TypeError: Cannot read property '0' of null
	micro error = TypeError: Cannot read property '0' of null
	milli error = TypeError: Cannot read property '0' of null
failing test case:
	in = [-1,0]
	nano error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
	micro error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
	milli error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
failing test case:
	in = [0,-1]
	nano error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
	micro error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
	milli error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
failing test case:
	in = [0,1000000000]
	nano error = AssertionError [ERR_ASSERTION]: nanoseconds column overflow
	micro error = AssertionError [ERR_ASSERTION]: nanoseconds column overflow
	milli error = AssertionError [ERR_ASSERTION]: nanoseconds column overflow
node test/hrtimeadd.js
passing test case (hrtimeAccum):
	a = [0,0]
	b = [0,0]
	accum = [0,0]
passing test case (hrtimeAccum):
	a = [1000000000,0]
	b = [50,0]
	accum = [1000000050,0]
passing test case (hrtimeAccum):
	a = [0,999999999]
	b = [0,1]
	accum = [1,0]
passing test case (hrtimeAccum):
	a = [0,999999999]
	b = [0,0]
	accum = [0,999999999]
passing test case (hrtimeAccum):
	a = [0,999999999]
	b = [0,999999999]
	accum = [1,999999998]
passing test case (hrtimeAccum):
	a = [0,999999999]
	b = [0,999999999]
	accum = [1,999999998]
passing test case (hrtimeAccum):
	a = [50,999999999]
	b = [1000000000,999999999]
	accum = [1000000051,999999998]
failing test case (hrtimeAccum):
	a = null
	b = null
	error = TypeError: Cannot read property '0' of null
failing test case (hrtimeAccum):
	a = null
	b = [0,0]
	error = TypeError: Cannot read property '0' of null
failing test case (hrtimeAccum):
	a = [0,0]
	b = null
	error = TypeError: Cannot read property '0' of null
failing test case (hrtimeAccum):
	a = [-1,0]
	b = [0,0]
	error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
failing test case (hrtimeAccum):
	a = [0,0]
	b = [0,-1]
	error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
failing test case (hrtimeAccum):
	a = [0,1000000000]
	b = [0,0]
	error = AssertionError [ERR_ASSERTION]: nanoseconds column overflow
failing test case (hrtimeAccum):
	a = [0,0]
	b = [0,1000000000]
	error = AssertionError [ERR_ASSERTION]: nanoseconds column overflow
passing test case (hrtimeAdd):
	a = [0,0]
	b = [0,0]
	result = [0,0]
passing test case (hrtimeAdd):
	a = [1000000000,0]
	b = [50,0]
	result = [1000000050,0]
passing test case (hrtimeAdd):
	a = [0,999999999]
	b = [0,1]
	result = [1,0]
passing test case (hrtimeAdd):
	a = [0,999999999]
	b = [0,0]
	result = [0,999999999]
passing test case (hrtimeAdd):
	a = [0,999999999]
	b = [0,999999999]
	result = [1,999999998]
passing test case (hrtimeAdd):
	a = [0,999999999]
	b = [0,999999999]
	result = [1,999999998]
passing test case (hrtimeAdd):
	a = [50,999999999]
	b = [1000000000,999999999]
	result = [1000000051,999999998]
failing test case (hrtimeAdd):
	a = null
	b = null
	error = TypeError: Cannot read property '0' of null
failing test case (hrtimeAdd):
	a = null
	b = [0,0]
	error = TypeError: Cannot read property '0' of null
failing test case (hrtimeAdd):
	a = [0,0]
	b = null
	error = TypeError: Cannot read property '0' of null
failing test case (hrtimeAdd):
	a = [-1,0]
	b = [0,0]
	error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
failing test case (hrtimeAdd):
	a = [0,0]
	b = [0,-1]
	error = AssertionError [ERR_ASSERTION]: negative numbers not allowed in hrtimes
failing test case (hrtimeAdd):
	a = [0,1000000000]
	b = [0,0]
	error = AssertionError [ERR_ASSERTION]: nanoseconds column overflow
failing test case (hrtimeAdd):
	a = [0,0]
	b = [0,1000000000]
	error = AssertionError [ERR_ASSERTION]: nanoseconds column overflow
node test/extraprops.js
test_cases[0]:
	obj: null
	allowed: ["one","two"]
test_cases[1]:
	obj: {"charlie":"horse"}
	allowed: ["charlie",5]
test_cases[2]:
	obj: {"charlie":"horse"}
	allowed: {"charlie":true}
test_cases[3]:
	obj: {"strict":true,"hapless":true,"quality":-3}
	allowed: ["strict","advisable","decent","quality"]
test_cases[4]:
	obj: {}
	allowed: []
test_cases[5]:
	obj: {"strict":true,"quality":100}
	allowed: ["strict","advisable","decent","quality"]
test_cases[6]:
	obj: {"false":null}
	allowed: []
node test/merge.js
test case: null user, basic overrides and defaults
{ b: 7, a: 3 }
test case: undefined user, basic overrides and defaults
{ b: 7, a: 3 }
test case: empty user, basic overrides and defaults
{ b: 7, a: 3 }
test case: combination of user, overrides, defaults
{ b: 4, d: 15, a: 9, c: 5 }
TEST PASSED
node test/parse-integer.js
testing parsing in base 2
testing parsing in base 3
testing parsing in base 8
testing parsing in base 10
testing parsing in base 16
testing parsing in base 36
test base 2 prefixes: ["b","B"]
test base 8 prefixes: ["o","O"]
test base 10 prefixes: ["t","T"]
test base 16 prefixes: ["x","X"]
testing edge cases
testing imprecise parsing
testing octal notation
testing invalid values
tests okay